| 1 |
On Wed, Jan 4, 2017 at 6:58 PM, Kristian Fiskerstrand <k_f@g.o> wrote: |
| 2 |
> With increasing focus on security in various contexts I'd like to |
| 3 |
> propose that we start discussing catching up with other distributions |
| 4 |
> and start requiring new developers' OpenPGP keyblocks to have at least |
| 5 |
> two signatures from existing developers before applications can be |
| 6 |
> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
| 7 |
|
| 8 |
I like your proposal in abstracto (and I have the good luck of having |
| 9 |
been at FOSDEM once, where I gathered some signatures, including |
| 10 |
yours), but I agree with Rich and MichaĆ in that I'm not sure how this |
| 11 |
is practical, in the sense of not putting up another pretty big |
| 12 |
barrier to entry for new developers. Do you have an idea for this in |
| 13 |
mind that does not actually require expensive (in time and money) IRL |
| 14 |
meetings? |
| 15 |
|
| 16 |
Cheers, |
| 17 |
|
| 18 |
Dirkjan |
Archives