1 |
On Thu, 2019-01-31 at 09:32 -0600, Matthew Thode wrote: |
2 |
> On 19-01-31 14:56:48, Michał Górny wrote: |
3 |
> > Motivation |
4 |
> > ========== |
5 |
> > |
6 |
> > While Gentoo observes the status of OpenPGP web of trust for many years, |
7 |
> > there never has been a proper push to get all developers covered by it |
8 |
> > or even formalize the rules of signing one another's keys. Apparently, |
9 |
> > there are still many Gentoo developers who do not have their |
10 |
> > ``@gentoo.org`` UID signed by another active developer. Historically |
11 |
> > there were also cases of developers signing others' UIDs without |
12 |
> > actually verifying their identity. [#WOT-GRAPH]_ [#WOT-STATS]_ |
13 |
> > |
14 |
> > The web of trust is usually considered secondary to Gentoo's internal |
15 |
> > trust system based on key fingerprints stored in LDAP and distributing |
16 |
> > via the website. While this system reliably covers all Gentoo |
17 |
> > developers, it has three major drawbacks: |
18 |
> > |
19 |
> > 1. It is entirely customary and therefore requires customized software |
20 |
> > to use. In other words, it's of limited usefulness to people outside |
21 |
> > Gentoo or does not work out of the box there. |
22 |
> |
23 |
> s/customary/custom? |
24 |
> > |
25 |
> > 2. At least in the current form, it is entirely limited to Gentoo |
26 |
> > developers. As such, it does not facilitate trust between them |
27 |
> > and the outer world. |
28 |
> > |
29 |
> > 3. It relies on a centralized server whose authenticity is in turn |
30 |
> > proved via PKI. This model is generally considered weak. |
31 |
> > |
32 |
> > Even if this trust system is to stay being central to Gentoo's needs, |
33 |
> > it should be beneficial for Gentoo developers start to improving |
34 |
> > the OpenPGP web of trust, both for the purpose of improving Gentoo's |
35 |
> > position in it and for the purpose of enabling better trust coverage |
36 |
> > between Gentoo developers, users and other people. |
37 |
> > |
38 |
> > Furthermore, the recent copyright policy established in GLEP 76 |
39 |
> > introduces the necessity of verifying real names of developers. Given |
40 |
> > that the Foundation wishes to avoid requesting document scans or other |
41 |
> > form of direct verification, the identity verification required |
42 |
> > for UID signing can also serve the needs of verifying the name |
43 |
> > for Certificate of Origin sign-off purposes. [#GLEP76]_ |
44 |
> > |
45 |
> |
46 |
> I don't see anything in glep 76 about requiring verification of the |
47 |
> signatures. It's my view (as trustee) that assertation by the signer |
48 |
> that 'this is my signature' is sufficient. Introducing more |
49 |
> verification should not be needed. That said I do think switching to a |
50 |
> WoT model has some merit, it's just that the name verification is a |
51 |
> side benefit, not a primary reason for the switch. |
52 |
|
53 |
There's no plan to verify signatures of all contributors. However, |
54 |
I believe Gentoo developers should naturally go for higher standards. |
55 |
After all, if you don't care at all, why become a developer in the first |
56 |
place? |
57 |
|
58 |
> |
59 |
> > Backwards Compatibility |
60 |
> > ======================= |
61 |
> > |
62 |
> > Gentoo does not use any particular web of trust policy at the moment. |
63 |
> > Not all of existing signatures conform to the new policy. Therefore, |
64 |
> > approving it is going to require, in some cases: |
65 |
> > |
66 |
> > a. replacing non-conformant user identifiers, |
67 |
> > |
68 |
> > b. revoking non-conformant signatures. |
69 |
> > |
70 |
> > Naturally, those actions can only be carried off by cooperating key |
71 |
> > owners. |
72 |
> > |
73 |
> > The policy specifies transitional periods for developers whose keys are |
74 |
> > not signed by anyone in the community yet. |
75 |
> > |
76 |
> |
77 |
> I do wonder about how this part will be enforced. |
78 |
> |
79 |
|
80 |
It won't. |
81 |
|
82 |
-- |
83 |
Best regards, |
84 |
Michał Górny |