Gentoo Archives: gentoo-nfp

From: Andrew Savchenko <bircoph@g.o>
To: gentoo-nfp@l.g.o
Subject: Re: [gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting)
Date: Sat, 05 Aug 2017 10:18:01
In Reply to: Re: [gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting) by Sam Jorna
1 On Fri, 4 Aug 2017 09:19:38 +1000 Sam Jorna wrote:
2 > On Thu, Aug 03, 2017 at 07:23:11PM +0100, Roy Bamford wrote:
3 > > What do we need to prove?
4 > >
5 > > That the the key belongs to a given individual or just that the key on the vote
6 > > is the same as the key used for the membership application.?
7 > >
8 > > The former involves a web of trust of some sort and we don't do that for devs
9 > > joining the distro.
10 > >
11 > > I suggest that the latter is suffcient but the web of trust would be nice to have.
12 >
13 > A web of trust would be nice to establish, but would be difficult
14 > particularly with developers in regions that few other developers are
15 > from (such as myself in Australia - there's only a couple of others in
16 > the country). Video could possibly be used, but I believe there's some
17 > argument over the viability of video "handshaking".
19 IMO we should solve problems sequentially, without mixing all
20 small issues into a single large one.
22 Right now we need to add full key IDs and fingerprints. It should
23 be easy to solve: LDAP has fingerprints for all devs and we can
24 fetch keys of other Foundation members from any SKS servers. If
25 there are any conflicts, they may be contacted individually for a
26 fingerprint verification.
28 Whether we need full web-of-trust for all Foundation members is an
29 open and separate question and should not be bundled with the
30 problem above. IMO such verification should not be mandatory for
31 now, since it will cause more harm than good.
33 Best regards,
34 Andrew Savchenko