1 |
On Wed, 4 Jan 2017 21:47:34 +0100 |
2 |
Kristian Fiskerstrand <k_f@g.o> wrote: |
3 |
|
4 |
> On 01/04/2017 08:12 PM, Michał Górny wrote: |
5 |
> > On Wed, 4 Jan 2017 18:58:26 +0100 |
6 |
> > Kristian Fiskerstrand <k_f@g.o> wrote: |
7 |
> > |
8 |
> >> With increasing focus on security in various contexts I'd like to |
9 |
> >> propose that we start discussing catching up with other distributions |
10 |
> >> and start requiring new developers' OpenPGP keyblocks to have at least |
11 |
> >> two signatures from existing developers before applications can be |
12 |
> >> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
13 |
> >> |
14 |
> >> |
15 |
> >> E.g [Debian] has the following requirement: "To maintain the strong Web |
16 |
> >> of Trust that connects all Debian Developers, Applicants need to |
17 |
> >> identify themselves by providing an OpenPGP key that is signed by at |
18 |
> >> least two official Developers. To further ensure their identity, |
19 |
> >> signatures by other people (who do not need to be DDs, but should be |
20 |
> >> well connected in the overall Web of Trust) are strongly recommended." |
21 |
> > |
22 |
> > Isn't barrier of entry to Gentoo high enough already? I know many |
23 |
> > people refusing to join because they consider quizzes |
24 |
> > and the recruitment procedure to be too cumbersome and a waste of time. |
25 |
> |
26 |
> No, I don't feel that this is conflicting, on some level it comes down |
27 |
> to a matter of more than technical skills, in this particular context |
28 |
> also establishing trust, both in terms of security and in the long term |
29 |
> responsibilities of both having commit access in general and maintaining |
30 |
> the packages picked up for maintenance. |
31 |
|
32 |
Are you assuming that having a verified proof of identity (well, more |
33 |
of the name since I suppose you won't be recording all his data) of |
34 |
a developer would prevent him from abusing his account? |
35 |
|
36 |
-- |
37 |
Best regards, |
38 |
Michał Górny |
39 |
<http://dev.gentoo.org/~mgorny/> |