| 1 |
On Mon, 05 Dec 2016 14:50:30 -0500 |
| 2 |
"William L. Thomson Jr." <wlt-ml@××××××.com> wrote: |
| 3 |
|
| 4 |
> Also why is GPG signing no longer required? |
| 5 |
> |
| 6 |
> That alone can help ensure emails are coming from who they say they are. Not |
| 7 |
> sure how I was able to sign an email with an email not part of my GPG key. Not |
| 8 |
> sure if that is kmail bug or by design. |
| 9 |
|
| 10 |
1. Obviously it would be harmful to require non-devs to sign all their email to the -dev ml |
| 11 |
|
| 12 |
It would form a substantial barrier to discussion contribution. |
| 13 |
|
| 14 |
2. Being lax here means there's no technical barrier preventing people |
| 15 |
replying hastily to emails using their phone or somesuch, which may not be |
| 16 |
equipped with satisfactory cryptography tools for GPG signing. |
| 17 |
|
| 18 |
In fact, forcing GPG everywhere is more disposed to creating problems, |
| 19 |
where people would employ weak GPG implementations just to circumvent the requirements, |
| 20 |
or have weak GPG installs to make the hassle of constantly entering your GPG key |
| 21 |
password go away, and/or distributing your GPG keys in unsafe ways. |
| 22 |
|
| 23 |
Its better on a "as you need it" basis, where people who *want* to sign *can* |
| 24 |
and are *encouraged* to. |
| 25 |
|
| 26 |
And emails from @gentoo devs can be read without needing a signature, but |
| 27 |
if it comes to a situation where a dev needs to put any kind of weight behind |
| 28 |
that email, that is a situation where you can *require* GPG without needing |
| 29 |
it being a blanket approach. |
| 30 |
|
| 31 |
As long as you keep in mind that every unsigned email is potentially |
| 32 |
a forgery, and that for sensitive matters a signed email is required, |
| 33 |
then there is no real need for a technical gatekeeper that forces signatures. |
| 34 |
|
| 35 |
I would instead hope for an alternative: |
| 36 |
|
| 37 |
1. Emails from @gentoo devs without signatures are clearly marked as such |
| 38 |
2. Emails from @gentoo devs *with* signatures have the signature verified |
| 39 |
as being both a "known signer" in LDAP and a signer that corresponds to |
| 40 |
the @gentoo email address, and are clearly marked if this validation fails. |
| 41 |
|
| 42 |
This data would be especially helpful to display in archives etc, where |
| 43 |
the GPG data and raw headers etc may be lost transiently on the way to the archive. |
| 44 |
|
| 45 |
Presently, *only the messageid* gives away that this is a forgery: |
| 46 |
|
| 47 |
https://archives.gentoo.org/gentoo-project/message/adc634b0fd1a8b42305bf783f06ac218 |
Archives