| 1 |
On 03/22/2018 12:38 PM, Rich Freeman wrote: |
| 2 |
> On Thu, Mar 22, 2018 at 4:30 AM, Alexander Berntsen <bernalex@g.o> wrote: |
| 3 |
>> On 22/03/18 07:31, Benda Xu wrote: |
| 4 |
>>> We might be able to require GPG signed email to make a post. |
| 5 |
>> Almost definitely. |
| 6 |
>> |
| 7 |
>> But before bikeshedding that, it would be advisable to find out whether |
| 8 |
>> it would be a good idea in the first place. Unless you want only |
| 9 |
>> prospective developers to be able to contribute to the ML (maybe you do |
| 10 |
>> want that?), it seems like a poor idea to unnecessarily exclude anyone |
| 11 |
>> who doesn't care (nor want to care) about OpenPGP. |
| 12 |
> |
| 13 |
> That, and getting yourself whitelisted by a dev is gong to be a lower |
| 14 |
> barrier than having to meet one in-person to have a key signed. That |
| 15 |
> is unless devs just start signing keys for people they've never met |
| 16 |
> (which honestly doesn't really bother me much as I don't put much |
| 17 |
> faith in the WoT anyway), in which case it turns into a whitelist that |
| 18 |
> only comrel can un-whitelist since I don't think you can revoke a |
| 19 |
> signature. |
| 20 |
|
| 21 |
The one issuing the signature can also revoke it (see revsig in --edit-key). |
| 22 |
|
| 23 |
That said, I'd rather focus on our own devs having WoT and requiring it |
| 24 |
to become a developer long before we require it to be part of a mailing |
| 25 |
list. If anything the technical complexity of verifying it doesn't make |
| 26 |
much sense to me vs a simple whitelist. |
| 27 |
|
| 28 |
> |
| 29 |
> Plus signing emails is a pain if you don't use an MUA that has this |
| 30 |
> feature, and the web-based ones which do aren't very good. |
| 31 |
> |
| 32 |
|
| 33 |
|
| 34 |
-- |
| 35 |
Kristian Fiskerstrand |
| 36 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 37 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives