Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why should we always use our real names while generating GPG key? [closed]

Tags:

git

gnupg

I'm using GPG to sign my git commits as the project I'm working for wants.

But I use a pseudonym and I don't want to be identified like by my GPG signature.

Over here: it asks us to use only our real names (as in our passport or government issued ID).

What is the necessity? How can I maintain my anonymity with GPG?

like image 723
batman Avatar asked Sep 20 '14 11:09

batman

2 Answers

In general, this advice is linked to CLA (Contribution License Agreement), which defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source license.

The Canonical contributor licence agreement for Ubuntu mentions in its FAQ that it uses now a copyright licence agreement (where the contributor grants permission for Canonical to distribute the contribution).

The Canonical Individual Contributor License Agreement is a deal between "You" and Canonical, so if you are using your GPG key, attaching it to a contribution to Canonical, its metadata should reflect "You" (actual name or address), in order for the IP (Intellectual Property) to be respected.

There are projects like CLAHub (Contributor License Agreements on GitHub) to make the process easier, but if you are using a GPG key for contributing to an open source project in the context of a CLA, then the information should be accurate.

If you are using the GPG key in any other context, you can associate any metadata (name/email, ...) that you want.

like image 121
VonC Avatar answered Sep 30 '22 08:09

VonC

It's not necessary. You referenced

  • recommendation|agreement
  • For Ubuntu-world only

But (is Wiki-reference OK for you?):

when verifying signatures, it is critical that the public key used to send messages to someone or some entity actually does 'belong' to the intended recipient. Simply downloading a public key from somewhere is not an overwhelming assurance of that association; deliberate (or accidental) impersonation is possible

because I can see (and get) a lot of different "learner"'s signatures, I want (under some conditions) be sure, who is each "learner" and know - is it the same person or I have any type of impersonation

PS: Security site of SE-family may be better and more relevant location for such type of questions

like image 20
Lazy Badger Avatar answered Sep 30 '22 09:09

Lazy Badger
Sign in to Comment

Related questions

Git - Cannot delete remote branch
Git- Tracking remote branches
How to handle a Git discontinuity?
EGit - pull= failled and no conflicts
Git: Renaming files with EGit causes deletion of file history
zsh - show if git branch have unpushed commits
Git/GitHub Total Number Of Lines Contributed For An Account
Cannot run aws.push for local repository head
Shortcut for git add --ignore-removal?
How to get list of all git remotes present on my machine?
.gitignore whitelist * not working correctly
Git error 400 when doing push
Is it possible to force git submodules to be updated?
Git format-patch/bundle for human-readable sneakernet "pull/push"
Using GIT to deploy website
Why does git checkout <remote_branchname> not create new tracking branch?
Get git commit from short hash using Github API
Can we reclone a git repository from the existing local repository
Does JGit support Git Credentials?
Github-Jenkins Trigger issue with slave

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!