1 |
On 01/04/2017 08:43 PM, Dirkjan Ochtman wrote: |
2 |
> On Wed, Jan 4, 2017 at 6:58 PM, Kristian Fiskerstrand <k_f@g.o> wrote: |
3 |
>> With increasing focus on security in various contexts I'd like to |
4 |
>> propose that we start discussing catching up with other distributions |
5 |
>> and start requiring new developers' OpenPGP keyblocks to have at least |
6 |
>> two signatures from existing developers before applications can be |
7 |
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
8 |
> |
9 |
> I like your proposal in abstracto (and I have the good luck of having |
10 |
> been at FOSDEM once, where I gathered some signatures, including |
11 |
> yours), but I agree with Rich and MichaĆ in that I'm not sure how this |
12 |
> is practical, in the sense of not putting up another pretty big |
13 |
> barrier to entry for new developers. Do you have an idea for this in |
14 |
> mind that does not actually require expensive (in time and money) IRL |
15 |
> meetings? |
16 |
|
17 |
If they are active in existing communities where Gentoo Developers |
18 |
participate, you could argue for a signature (likely 0x12 c.f RFC4880 |
19 |
and not a 0x10 or 0x13) by using video chat and passport display in real |
20 |
time. Its not something I personally do, but I know others consider it |
21 |
sufficient if they have a sufficient relationship though other channels. |
22 |
|
23 |
-- |
24 |
Kristian Fiskerstrand |
25 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
26 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |