| 1 |
On Tue, Oct 16, 2012 at 9:30 PM, Patrick Lauer <patrick@g.o> wrote: |
| 2 |
> That's nice. Can we also add some basic policies on key format (key |
| 3 |
> length, validity) and get a centrally-hosted keyring? |
| 4 |
> |
| 5 |
> Then it'd even make sense for us to start using the whole signing thing |
| 6 |
> now :) |
| 7 |
|
| 8 |
Well, if we're going to do that give some thought to also whether the |
| 9 |
sigs need to be by Gentoo devs, and also think about any implications |
| 10 |
of the move to git. That is, unless we want to just go through all of |
| 11 |
that all over again. |
| 12 |
|
| 13 |
PKI becomes a nightmare if anybody but devs sign, and when we move to |
| 14 |
git it won't really be possible to have anybody else sign anyway |
| 15 |
unless we allow merge commits, which is just a whole different mess. |
| 16 |
The trustees are already wrestling with what to do about non-dev |
| 17 |
foundation members who lose their gpg keys and thus can't sign ballots |
| 18 |
or prove who they are. (Let's not do that debate in this thread - |
| 19 |
just an example of the PKI problem. If you have any concerns either |
| 20 |
send them to trustees@ or gentoo-nfp and keep them off this list.) |
| 21 |
|
| 22 |
Rich |
Archives