1 |
On 2017.08.03 12:16, Matthew Thode wrote: |
2 |
> To be clear, a list of full key IDs with verification (some sort of |
3 |
> video chat maybe) of the fingerprint. Said fingerprint would be |
4 |
> recorded in git (signed commits and pushes to verify trust of the |
5 |
> fingerprints). |
6 |
> |
7 |
> On August 3, 2017 6:13:13 AM CDT, Ulrich Mueller <ulm@g.o> |
8 |
> wrote: |
9 |
> >As discussed with prometheanfire in #gentoo-trustees, I am suggesting |
10 |
> >the following as an item for the (September?) Trustees meeting. |
11 |
> > |
12 |
> >Apparently, the Foundation only has a list of PGP key IDs in |
13 |
> >https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most |
14 |
> >IDs listed there are only 32 bit IDs, providing no security at all. |
15 |
> > |
16 |
> >I would like to ask the Foundation to keep a list with the (160 bit) |
17 |
> >PGP fingerprints of its members. (For developers, this information |
18 |
> >should be readily available in LDAP.) |
19 |
> > |
20 |
> >Ulrich |
21 |
> |
22 |
> -- |
23 |
> Sent from Kaiten Mail. Please excuse my brevity. |
24 |
|
25 |
|
26 |
What do we need to prove? |
27 |
|
28 |
That the the key belongs to a given individual or just that the key on the vote |
29 |
is the same as the key used for the membership application.? |
30 |
|
31 |
The former involves a web of trust of some sort and we don't do that for devs |
32 |
joining the distro. |
33 |
|
34 |
I suggest that the latter is suffcient but the web of trust would be nice to have. |
35 |
|
36 |
Agreed tht the 32 bit key IDs need to be improved. |
37 |
-- |
38 |
Regards, |
39 |
|
40 |
Roy Bamford |
41 |
(Neddyseagoon) a member of |
42 |
elections |
43 |
gentoo-ops |
44 |
forum-mods |