Gentoo Archives: gentoo-project

From: Rich Freeman <rich0@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Cc: "Michał Górny" <mgorny@g.o>
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Sat, 02 Feb 2019 13:47:50
In Reply to: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust by desultory
On Sat, Feb 2, 2019 at 12:55 AM desultory <desultory@g.o> wrote:
> > On 02/01/19 08:25, Michał Górny wrote: > > On Thu, 2019-01-31 at 12:33 -0500, Rich Freeman wrote: > >> On Thu, Jan 31, 2019 at 8:56 AM Michał Górny <mgorny@g.o> wrote: > >> > >>> Verify the person's real name (at least for the user identifier > >>> used for copyright purposes). This is usually done through > >>> verifying an identification document with photograph. It is > >>> a good idea to ask for the document type earlier, and read on > >>> forgery protections used. > >> > >> "usually"? "identification document"? Does this mean that an > >> appropriate method of verification is entirely up to individual > >> discretion? If so that makes the process of getting every key signed > >> fairly trivial as long as two people have (in?)appropriately-rigorous > >> standards... > > > > I'm sorry, I keep forgetting that you can't rely on people in Gentoo > > being mature and you need to specify everything as 'MUST' and 'MUST > > NOT', or otherwise they are going to ignore the spirit of the policy > > and violate in the worst way permitted by bending the wording. > > > You started this thread with what distinctly appeared to be a plea to > avoid ad hominem attacks, just to turn around make make them yourself. > Do, kindly, stop it.
Neither of our comments were helpful here. I made a passive-aggressive post out of emotion and mgorny made a provoked passive-aggressive reply (which is why we shouldn't be communicating this way in the first place). In both cases the tone distracted from the gist of the points: 1. The standards for identification are somewhat subjective and will necessarily vary from individual to individual. You actually phrased this concern better in your reply, and perhaps I might have done the same if I had taken more time to compose myself better. 2. Mgorny's point is that in practice well-intending identity verifiers are probably going to be good enough at getting the job done. I agree, though mainly because I don't think it is important that the job be done at all. -- Rich