1 |
On 01/04/2017 08:12 PM, Michał Górny wrote: |
2 |
> On Wed, 4 Jan 2017 18:58:26 +0100 |
3 |
> Kristian Fiskerstrand <k_f@g.o> wrote: |
4 |
> |
5 |
>> With increasing focus on security in various contexts I'd like to |
6 |
>> propose that we start discussing catching up with other distributions |
7 |
>> and start requiring new developers' OpenPGP keyblocks to have at least |
8 |
>> two signatures from existing developers before applications can be |
9 |
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
10 |
>> |
11 |
>> |
12 |
>> E.g [Debian] has the following requirement: "To maintain the strong Web |
13 |
>> of Trust that connects all Debian Developers, Applicants need to |
14 |
>> identify themselves by providing an OpenPGP key that is signed by at |
15 |
>> least two official Developers. To further ensure their identity, |
16 |
>> signatures by other people (who do not need to be DDs, but should be |
17 |
>> well connected in the overall Web of Trust) are strongly recommended." |
18 |
> |
19 |
> Isn't barrier of entry to Gentoo high enough already? I know many |
20 |
> people refusing to join because they consider quizzes |
21 |
> and the recruitment procedure to be too cumbersome and a waste of time. |
22 |
|
23 |
No, I don't feel that this is conflicting, on some level it comes down |
24 |
to a matter of more than technical skills, in this particular context |
25 |
also establishing trust, both in terms of security and in the long term |
26 |
responsibilities of both having commit access in general and maintaining |
27 |
the packages picked up for maintenance. |
28 |
|
29 |
> I can imagine requiring people to actually travel and make appointments |
30 |
> with other Gentoo developers will only make things worse. |
31 |
|
32 |
Most signatures can likely be exchanged at local LUGs, in particular if |
33 |
we increase presentation activity in order to be more visible. As an |
34 |
example the Norwegian Unix User's Group is sponsoring flying in a Gentoo |
35 |
developer this year to present here in Oslo. |
36 |
|
37 |
> |
38 |
> Considering that so far I haven't met any Gentoo developers. In fact, I |
39 |
> barely met a few people who have any clue of (Open)PGP at all. If I was |
40 |
|
41 |
Might be time for me for a trip to Poland :) |
42 |
|
43 |
> required to get signatures from two Gentoo developers, I certainly |
44 |
> would not have joined. |
45 |
|
46 |
The discussion of this is interesting, and on some level it comes down |
47 |
to Gentoo developers being more visible in their local communities to |
48 |
offer such opportunities as well as meeting up with other Gentoo |
49 |
developers in various contexts. |
50 |
|
51 |
-- |
52 |
Kristian Fiskerstrand |
53 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
54 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |