| 1 |
On 01/04/2017 08:12 PM, Michał Górny wrote: |
| 2 |
> On Wed, 4 Jan 2017 18:58:26 +0100 |
| 3 |
> Kristian Fiskerstrand <k_f@g.o> wrote: |
| 4 |
> |
| 5 |
>> With increasing focus on security in various contexts I'd like to |
| 6 |
>> propose that we start discussing catching up with other distributions |
| 7 |
>> and start requiring new developers' OpenPGP keyblocks to have at least |
| 8 |
>> two signatures from existing developers before applications can be |
| 9 |
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
| 10 |
>> |
| 11 |
>> |
| 12 |
>> E.g [Debian] has the following requirement: "To maintain the strong Web |
| 13 |
>> of Trust that connects all Debian Developers, Applicants need to |
| 14 |
>> identify themselves by providing an OpenPGP key that is signed by at |
| 15 |
>> least two official Developers. To further ensure their identity, |
| 16 |
>> signatures by other people (who do not need to be DDs, but should be |
| 17 |
>> well connected in the overall Web of Trust) are strongly recommended." |
| 18 |
> |
| 19 |
> Isn't barrier of entry to Gentoo high enough already? I know many |
| 20 |
> people refusing to join because they consider quizzes |
| 21 |
> and the recruitment procedure to be too cumbersome and a waste of time. |
| 22 |
|
| 23 |
No, I don't feel that this is conflicting, on some level it comes down |
| 24 |
to a matter of more than technical skills, in this particular context |
| 25 |
also establishing trust, both in terms of security and in the long term |
| 26 |
responsibilities of both having commit access in general and maintaining |
| 27 |
the packages picked up for maintenance. |
| 28 |
|
| 29 |
> I can imagine requiring people to actually travel and make appointments |
| 30 |
> with other Gentoo developers will only make things worse. |
| 31 |
|
| 32 |
Most signatures can likely be exchanged at local LUGs, in particular if |
| 33 |
we increase presentation activity in order to be more visible. As an |
| 34 |
example the Norwegian Unix User's Group is sponsoring flying in a Gentoo |
| 35 |
developer this year to present here in Oslo. |
| 36 |
|
| 37 |
> |
| 38 |
> Considering that so far I haven't met any Gentoo developers. In fact, I |
| 39 |
> barely met a few people who have any clue of (Open)PGP at all. If I was |
| 40 |
|
| 41 |
Might be time for me for a trip to Poland :) |
| 42 |
|
| 43 |
> required to get signatures from two Gentoo developers, I certainly |
| 44 |
> would not have joined. |
| 45 |
|
| 46 |
The discussion of this is interesting, and on some level it comes down |
| 47 |
to Gentoo developers being more visible in their local communities to |
| 48 |
offer such opportunities as well as meeting up with other Gentoo |
| 49 |
developers in various contexts. |
| 50 |
|
| 51 |
-- |
| 52 |
Kristian Fiskerstrand |
| 53 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 54 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives