| 1 |
On Wed, 4 Jan 2017 18:58:26 +0100 |
| 2 |
Kristian Fiskerstrand <k_f@g.o> wrote: |
| 3 |
|
| 4 |
> With increasing focus on security in various contexts I'd like to |
| 5 |
> propose that we start discussing catching up with other distributions |
| 6 |
> and start requiring new developers' OpenPGP keyblocks to have at least |
| 7 |
> two signatures from existing developers before applications can be |
| 8 |
> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
| 9 |
> |
| 10 |
> |
| 11 |
> E.g [Debian] has the following requirement: "To maintain the strong Web |
| 12 |
> of Trust that connects all Debian Developers, Applicants need to |
| 13 |
> identify themselves by providing an OpenPGP key that is signed by at |
| 14 |
> least two official Developers. To further ensure their identity, |
| 15 |
> signatures by other people (who do not need to be DDs, but should be |
| 16 |
> well connected in the overall Web of Trust) are strongly recommended." |
| 17 |
|
| 18 |
Isn't barrier of entry to Gentoo high enough already? I know many |
| 19 |
people refusing to join because they consider quizzes |
| 20 |
and the recruitment procedure to be too cumbersome and a waste of time. |
| 21 |
I can imagine requiring people to actually travel and make appointments |
| 22 |
with other Gentoo developers will only make things worse. |
| 23 |
|
| 24 |
Considering that so far I haven't met any Gentoo developers. In fact, I |
| 25 |
barely met a few people who have any clue of (Open)PGP at all. If I was |
| 26 |
required to get signatures from two Gentoo developers, I certainly |
| 27 |
would not have joined. |
| 28 |
|
| 29 |
Maybe if I were unemployed and the Foundation was willing to reimburse |
| 30 |
travel costs... but right now, I can't really imagine finding time to |
| 31 |
go and collect Gentoo Pokémon. |
| 32 |
|
| 33 |
-- |
| 34 |
Best regards, |
| 35 |
Michał Górny |
| 36 |
<http://dev.gentoo.org/~mgorny/> |
Archives