| 1 |
On Sat, Feb 23, 2019 at 11:30 AM Alec Warner <antarus@g.o> wrote: |
| 2 |
> |
| 3 |
> - As rich noted, most people have no idea how GPG works and they |
| 4 |
> just do whatever they are instructed to do. I don't think a lack of |
| 5 |
> knowledge of GPG indicates "being a troll" nor "lack of technical |
| 6 |
> competence." |
| 7 |
|
| 8 |
I wasn't even arguing ignorance. I've been using PGP since the days |
| 9 |
when I had to jump through hoops to get around the ITAR restrictions. |
| 10 |
|
| 11 |
I don't follow the Gentoo instructions because I don't know how to use |
| 12 |
gpg. I follow them because the GLEP has a stack of requirements for |
| 13 |
how a Gentoo gpg key ought to be set up, and since I have no intention |
| 14 |
of ever using the key for anything else, there is no reason to waste |
| 15 |
time tailoring it to my own needs. It is no different from my company |
| 16 |
laptop - I configure it however they want me to and don't use it for |
| 17 |
anything personal. That isn't because I don't know how to use gmail |
| 18 |
or Facebook or whatever on it, but simply because it makes no sense |
| 19 |
for me to get frustrated with whatever the IT policy is of the day |
| 20 |
when a laptop starts at $120 these days and I can just use my own, and |
| 21 |
I have independent internet anywhere I go. |
| 22 |
|
| 23 |
Likewise the reason I don't sign my email isn't because I don't know |
| 24 |
how thunderbird/kmail/whatever works. It is because there isn't much |
| 25 |
intersection between MUAs that fit how I actually access email these |
| 26 |
days and MUAs that can securely access my key. If my Gentoo email |
| 27 |
workflow required a more gpg-centric workflow then I'd set up a |
| 28 |
separate email account just for Gentoo, use Thunderbird or whatever |
| 29 |
with it on a single desktop, and not look at it much except when I had |
| 30 |
to. Or maybe if it were supported I'd use a different key for email |
| 31 |
so that I wouldn't need to go sticking my commit-signing key on every |
| 32 |
phone/laptop/whatever I use where it could get compromised and end up |
| 33 |
with some poor soul getting rooted, and I could be more liberal with |
| 34 |
the email key. Really though I suspect that some of the newer |
| 35 |
x509-based protocols are better-supported by email clients. |
| 36 |
|
| 37 |
I've been involved with Gentoo in one way or another for approaching |
| 38 |
15 years and in all that time I think I've had to use gpg for |
| 39 |
something other than commit-signing maybe once or twice. Nothing |
| 40 |
wrong with using it, and I accept that some roles might require it |
| 41 |
more often, but it seems a bit overkill to invest a ton of time in |
| 42 |
secure email for an organization that almost never needs secure email. |
| 43 |
|
| 44 |
No trolling intended. I just don't see the point. If it were |
| 45 |
required then I would comply. I completely get the spirit vs the |
| 46 |
letter of the rules, but IMO this doesn't fall under either. As far |
| 47 |
as I can tell there was never any intent to require an email signing |
| 48 |
subkey, and this was not a mere accidental omission, at least not on |
| 49 |
the part of the majority of council members who voted for the policy. |
| 50 |
|
| 51 |
-- |
| 52 |
Rich |
Archives