1 |
On Tue, Oct 16, 2012 at 9:30 PM, Patrick Lauer <patrick@g.o> wrote: |
2 |
> That's nice. Can we also add some basic policies on key format (key |
3 |
> length, validity) and get a centrally-hosted keyring? |
4 |
> |
5 |
> Then it'd even make sense for us to start using the whole signing thing |
6 |
> now :) |
7 |
|
8 |
Well, if we're going to do that give some thought to also whether the |
9 |
sigs need to be by Gentoo devs, and also think about any implications |
10 |
of the move to git. That is, unless we want to just go through all of |
11 |
that all over again. |
12 |
|
13 |
PKI becomes a nightmare if anybody but devs sign, and when we move to |
14 |
git it won't really be possible to have anybody else sign anyway |
15 |
unless we allow merge commits, which is just a whole different mess. |
16 |
The trustees are already wrestling with what to do about non-dev |
17 |
foundation members who lose their gpg keys and thus can't sign ballots |
18 |
or prove who they are. (Let's not do that debate in this thread - |
19 |
just an example of the PKI problem. If you have any concerns either |
20 |
send them to trustees@ or gentoo-nfp and keep them off this list.) |
21 |
|
22 |
Rich |