1 |
On Sat, Feb 23, 2019 at 11:30 AM Alec Warner <antarus@g.o> wrote: |
2 |
> |
3 |
> - As rich noted, most people have no idea how GPG works and they |
4 |
> just do whatever they are instructed to do. I don't think a lack of |
5 |
> knowledge of GPG indicates "being a troll" nor "lack of technical |
6 |
> competence." |
7 |
|
8 |
I wasn't even arguing ignorance. I've been using PGP since the days |
9 |
when I had to jump through hoops to get around the ITAR restrictions. |
10 |
|
11 |
I don't follow the Gentoo instructions because I don't know how to use |
12 |
gpg. I follow them because the GLEP has a stack of requirements for |
13 |
how a Gentoo gpg key ought to be set up, and since I have no intention |
14 |
of ever using the key for anything else, there is no reason to waste |
15 |
time tailoring it to my own needs. It is no different from my company |
16 |
laptop - I configure it however they want me to and don't use it for |
17 |
anything personal. That isn't because I don't know how to use gmail |
18 |
or Facebook or whatever on it, but simply because it makes no sense |
19 |
for me to get frustrated with whatever the IT policy is of the day |
20 |
when a laptop starts at $120 these days and I can just use my own, and |
21 |
I have independent internet anywhere I go. |
22 |
|
23 |
Likewise the reason I don't sign my email isn't because I don't know |
24 |
how thunderbird/kmail/whatever works. It is because there isn't much |
25 |
intersection between MUAs that fit how I actually access email these |
26 |
days and MUAs that can securely access my key. If my Gentoo email |
27 |
workflow required a more gpg-centric workflow then I'd set up a |
28 |
separate email account just for Gentoo, use Thunderbird or whatever |
29 |
with it on a single desktop, and not look at it much except when I had |
30 |
to. Or maybe if it were supported I'd use a different key for email |
31 |
so that I wouldn't need to go sticking my commit-signing key on every |
32 |
phone/laptop/whatever I use where it could get compromised and end up |
33 |
with some poor soul getting rooted, and I could be more liberal with |
34 |
the email key. Really though I suspect that some of the newer |
35 |
x509-based protocols are better-supported by email clients. |
36 |
|
37 |
I've been involved with Gentoo in one way or another for approaching |
38 |
15 years and in all that time I think I've had to use gpg for |
39 |
something other than commit-signing maybe once or twice. Nothing |
40 |
wrong with using it, and I accept that some roles might require it |
41 |
more often, but it seems a bit overkill to invest a ton of time in |
42 |
secure email for an organization that almost never needs secure email. |
43 |
|
44 |
No trolling intended. I just don't see the point. If it were |
45 |
required then I would comply. I completely get the spirit vs the |
46 |
letter of the rules, but IMO this doesn't fall under either. As far |
47 |
as I can tell there was never any intent to require an email signing |
48 |
subkey, and this was not a mere accidental omission, at least not on |
49 |
the part of the majority of council members who voted for the policy. |
50 |
|
51 |
-- |
52 |
Rich |