| 1 |
On Fri, 4 Aug 2017 09:19:38 +1000 Sam Jorna wrote: |
| 2 |
> On Thu, Aug 03, 2017 at 07:23:11PM +0100, Roy Bamford wrote: |
| 3 |
> > What do we need to prove? |
| 4 |
> > |
| 5 |
> > That the the key belongs to a given individual or just that the key on the vote |
| 6 |
> > is the same as the key used for the membership application.? |
| 7 |
> > |
| 8 |
> > The former involves a web of trust of some sort and we don't do that for devs |
| 9 |
> > joining the distro. |
| 10 |
> > |
| 11 |
> > I suggest that the latter is suffcient but the web of trust would be nice to have. |
| 12 |
> |
| 13 |
> A web of trust would be nice to establish, but would be difficult |
| 14 |
> particularly with developers in regions that few other developers are |
| 15 |
> from (such as myself in Australia - there's only a couple of others in |
| 16 |
> the country). Video could possibly be used, but I believe there's some |
| 17 |
> argument over the viability of video "handshaking". |
| 18 |
|
| 19 |
IMO we should solve problems sequentially, without mixing all |
| 20 |
small issues into a single large one. |
| 21 |
|
| 22 |
Right now we need to add full key IDs and fingerprints. It should |
| 23 |
be easy to solve: LDAP has fingerprints for all devs and we can |
| 24 |
fetch keys of other Foundation members from any SKS servers. If |
| 25 |
there are any conflicts, they may be contacted individually for a |
| 26 |
fingerprint verification. |
| 27 |
|
| 28 |
Whether we need full web-of-trust for all Foundation members is an |
| 29 |
open and separate question and should not be bundled with the |
| 30 |
problem above. IMO such verification should not be mandatory for |
| 31 |
now, since it will cause more harm than good. |
| 32 |
|
| 33 |
Best regards, |
| 34 |
Andrew Savchenko |
Archives