| 1 |
On 2017.08.03 12:16, Matthew Thode wrote: |
| 2 |
> To be clear, a list of full key IDs with verification (some sort of |
| 3 |
> video chat maybe) of the fingerprint. Said fingerprint would be |
| 4 |
> recorded in git (signed commits and pushes to verify trust of the |
| 5 |
> fingerprints). |
| 6 |
> |
| 7 |
> On August 3, 2017 6:13:13 AM CDT, Ulrich Mueller <ulm@g.o> |
| 8 |
> wrote: |
| 9 |
> >As discussed with prometheanfire in #gentoo-trustees, I am suggesting |
| 10 |
> >the following as an item for the (September?) Trustees meeting. |
| 11 |
> > |
| 12 |
> >Apparently, the Foundation only has a list of PGP key IDs in |
| 13 |
> >https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most |
| 14 |
> >IDs listed there are only 32 bit IDs, providing no security at all. |
| 15 |
> > |
| 16 |
> >I would like to ask the Foundation to keep a list with the (160 bit) |
| 17 |
> >PGP fingerprints of its members. (For developers, this information |
| 18 |
> >should be readily available in LDAP.) |
| 19 |
> > |
| 20 |
> >Ulrich |
| 21 |
> |
| 22 |
> -- |
| 23 |
> Sent from Kaiten Mail. Please excuse my brevity. |
| 24 |
|
| 25 |
|
| 26 |
What do we need to prove? |
| 27 |
|
| 28 |
That the the key belongs to a given individual or just that the key on the vote |
| 29 |
is the same as the key used for the membership application.? |
| 30 |
|
| 31 |
The former involves a web of trust of some sort and we don't do that for devs |
| 32 |
joining the distro. |
| 33 |
|
| 34 |
I suggest that the latter is suffcient but the web of trust would be nice to have. |
| 35 |
|
| 36 |
Agreed tht the 32 bit key IDs need to be improved. |
| 37 |
-- |
| 38 |
Regards, |
| 39 |
|
| 40 |
Roy Bamford |
| 41 |
(Neddyseagoon) a member of |
| 42 |
elections |
| 43 |
gentoo-ops |
| 44 |
forum-mods |
Archives