1 |
On 03/22/2018 12:38 PM, Rich Freeman wrote: |
2 |
> On Thu, Mar 22, 2018 at 4:30 AM, Alexander Berntsen <bernalex@g.o> wrote: |
3 |
>> On 22/03/18 07:31, Benda Xu wrote: |
4 |
>>> We might be able to require GPG signed email to make a post. |
5 |
>> Almost definitely. |
6 |
>> |
7 |
>> But before bikeshedding that, it would be advisable to find out whether |
8 |
>> it would be a good idea in the first place. Unless you want only |
9 |
>> prospective developers to be able to contribute to the ML (maybe you do |
10 |
>> want that?), it seems like a poor idea to unnecessarily exclude anyone |
11 |
>> who doesn't care (nor want to care) about OpenPGP. |
12 |
> |
13 |
> That, and getting yourself whitelisted by a dev is gong to be a lower |
14 |
> barrier than having to meet one in-person to have a key signed. That |
15 |
> is unless devs just start signing keys for people they've never met |
16 |
> (which honestly doesn't really bother me much as I don't put much |
17 |
> faith in the WoT anyway), in which case it turns into a whitelist that |
18 |
> only comrel can un-whitelist since I don't think you can revoke a |
19 |
> signature. |
20 |
|
21 |
The one issuing the signature can also revoke it (see revsig in --edit-key). |
22 |
|
23 |
That said, I'd rather focus on our own devs having WoT and requiring it |
24 |
to become a developer long before we require it to be part of a mailing |
25 |
list. If anything the technical complexity of verifying it doesn't make |
26 |
much sense to me vs a simple whitelist. |
27 |
|
28 |
> |
29 |
> Plus signing emails is a pain if you don't use an MUA that has this |
30 |
> feature, and the web-based ones which do aren't very good. |
31 |
> |
32 |
|
33 |
|
34 |
-- |
35 |
Kristian Fiskerstrand |
36 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
37 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |