1 |
On Wed, 4 Jan 2017 18:58:26 +0100 |
2 |
Kristian Fiskerstrand <k_f@g.o> wrote: |
3 |
|
4 |
> With increasing focus on security in various contexts I'd like to |
5 |
> propose that we start discussing catching up with other distributions |
6 |
> and start requiring new developers' OpenPGP keyblocks to have at least |
7 |
> two signatures from existing developers before applications can be |
8 |
> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
9 |
> |
10 |
> |
11 |
> E.g [Debian] has the following requirement: "To maintain the strong Web |
12 |
> of Trust that connects all Debian Developers, Applicants need to |
13 |
> identify themselves by providing an OpenPGP key that is signed by at |
14 |
> least two official Developers. To further ensure their identity, |
15 |
> signatures by other people (who do not need to be DDs, but should be |
16 |
> well connected in the overall Web of Trust) are strongly recommended." |
17 |
|
18 |
Isn't barrier of entry to Gentoo high enough already? I know many |
19 |
people refusing to join because they consider quizzes |
20 |
and the recruitment procedure to be too cumbersome and a waste of time. |
21 |
I can imagine requiring people to actually travel and make appointments |
22 |
with other Gentoo developers will only make things worse. |
23 |
|
24 |
Considering that so far I haven't met any Gentoo developers. In fact, I |
25 |
barely met a few people who have any clue of (Open)PGP at all. If I was |
26 |
required to get signatures from two Gentoo developers, I certainly |
27 |
would not have joined. |
28 |
|
29 |
Maybe if I were unemployed and the Foundation was willing to reimburse |
30 |
travel costs... but right now, I can't really imagine finding time to |
31 |
go and collect Gentoo Pokémon. |
32 |
|
33 |
-- |
34 |
Best regards, |
35 |
Michał Górny |
36 |
<http://dev.gentoo.org/~mgorny/> |