1 |
On Fri, 4 Aug 2017 09:19:38 +1000 Sam Jorna wrote: |
2 |
> On Thu, Aug 03, 2017 at 07:23:11PM +0100, Roy Bamford wrote: |
3 |
> > What do we need to prove? |
4 |
> > |
5 |
> > That the the key belongs to a given individual or just that the key on the vote |
6 |
> > is the same as the key used for the membership application.? |
7 |
> > |
8 |
> > The former involves a web of trust of some sort and we don't do that for devs |
9 |
> > joining the distro. |
10 |
> > |
11 |
> > I suggest that the latter is suffcient but the web of trust would be nice to have. |
12 |
> |
13 |
> A web of trust would be nice to establish, but would be difficult |
14 |
> particularly with developers in regions that few other developers are |
15 |
> from (such as myself in Australia - there's only a couple of others in |
16 |
> the country). Video could possibly be used, but I believe there's some |
17 |
> argument over the viability of video "handshaking". |
18 |
|
19 |
IMO we should solve problems sequentially, without mixing all |
20 |
small issues into a single large one. |
21 |
|
22 |
Right now we need to add full key IDs and fingerprints. It should |
23 |
be easy to solve: LDAP has fingerprints for all devs and we can |
24 |
fetch keys of other Foundation members from any SKS servers. If |
25 |
there are any conflicts, they may be contacted individually for a |
26 |
fingerprint verification. |
27 |
|
28 |
Whether we need full web-of-trust for all Foundation members is an |
29 |
open and separate question and should not be bundled with the |
30 |
problem above. IMO such verification should not be mandatory for |
31 |
now, since it will cause more harm than good. |
32 |
|
33 |
Best regards, |
34 |
Andrew Savchenko |