| 1 |
On 01/04/2017 08:43 PM, Dirkjan Ochtman wrote: |
| 2 |
> On Wed, Jan 4, 2017 at 6:58 PM, Kristian Fiskerstrand <k_f@g.o> wrote: |
| 3 |
>> With increasing focus on security in various contexts I'd like to |
| 4 |
>> propose that we start discussing catching up with other distributions |
| 5 |
>> and start requiring new developers' OpenPGP keyblocks to have at least |
| 6 |
>> two signatures from existing developers before applications can be |
| 7 |
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
| 8 |
> |
| 9 |
> I like your proposal in abstracto (and I have the good luck of having |
| 10 |
> been at FOSDEM once, where I gathered some signatures, including |
| 11 |
> yours), but I agree with Rich and MichaĆ in that I'm not sure how this |
| 12 |
> is practical, in the sense of not putting up another pretty big |
| 13 |
> barrier to entry for new developers. Do you have an idea for this in |
| 14 |
> mind that does not actually require expensive (in time and money) IRL |
| 15 |
> meetings? |
| 16 |
|
| 17 |
If they are active in existing communities where Gentoo Developers |
| 18 |
participate, you could argue for a signature (likely 0x12 c.f RFC4880 |
| 19 |
and not a 0x10 or 0x13) by using video chat and passport display in real |
| 20 |
time. Its not something I personally do, but I know others consider it |
| 21 |
sufficient if they have a sufficient relationship though other channels. |
| 22 |
|
| 23 |
-- |
| 24 |
Kristian Fiskerstrand |
| 25 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 26 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives