Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-project

From: "Michał Górny" <mgorny@g.o>
To: Kristian Fiskerstrand <k_f@g.o>
Cc: gentoo-project@l.g.o
Subject: Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?
Date: Wed, 04 Jan 2017 21:18:06
Message-Id: 20170104221746.6faa286f.mgorny@gentoo.org
In Reply to: Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? by Kristian Fiskerstrand
1 On Wed, 4 Jan 2017 21:47:34 +0100
2 Kristian Fiskerstrand <k_f@g.o> wrote:
3
4 > On 01/04/2017 08:12 PM, Michał Górny wrote:
5 > > On Wed, 4 Jan 2017 18:58:26 +0100
6 > > Kristian Fiskerstrand <k_f@g.o> wrote:
7 > >
8 > >> With increasing focus on security in various contexts I'd like to
9 > >> propose that we start discussing catching up with other distributions
10 > >> and start requiring new developers' OpenPGP keyblocks to have at least
11 > >> two signatures from existing developers before applications can be
12 > >> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
13 > >>
14 > >>
15 > >> E.g [Debian] has the following requirement: "To maintain the strong Web
16 > >> of Trust that connects all Debian Developers, Applicants need to
17 > >> identify themselves by providing an OpenPGP key that is signed by at
18 > >> least two official Developers. To further ensure their identity,
19 > >> signatures by other people (who do not need to be DDs, but should be
20 > >> well connected in the overall Web of Trust) are strongly recommended."
21 > >
22 > > Isn't barrier of entry to Gentoo high enough already? I know many
23 > > people refusing to join because they consider quizzes
24 > > and the recruitment procedure to be too cumbersome and a waste of time.
25 >
26 > No, I don't feel that this is conflicting, on some level it comes down
27 > to a matter of more than technical skills, in this particular context
28 > also establishing trust, both in terms of security and in the long term
29 > responsibilities of both having commit access in general and maintaining
30 > the packages picked up for maintenance.
31
32 Are you assuming that having a verified proof of identity (well, more
33 of the name since I suppose you won't be recording all his data) of
34 a developer would prevent him from abusing his account?
35
36 --
37 Best regards,
38 Michał Górny
39 <http://dev.gentoo.org/~mgorny/>

Replies

Subject Author
Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? Kristian Fiskerstrand <k_f@g.o>
Report Message
Find on MARC Find on Google Groups