Gentoo Archives: gentoo-project

From: "Michał Górny" <mgorny@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Fri, 01 Feb 2019 14:20:36
Message-Id: 1549030828.722.3.camel@gentoo.org
On Thu, 2019-01-31 at 09:32 -0600, Matthew Thode wrote:
> On 19-01-31 14:56:48, Michał Górny wrote: > > Motivation > > ========== > > > > While Gentoo observes the status of OpenPGP web of trust for many years, > > there never has been a proper push to get all developers covered by it > > or even formalize the rules of signing one another's keys. Apparently, > > there are still many Gentoo developers who do not have their > > ``@gentoo.org`` UID signed by another active developer. Historically > > there were also cases of developers signing others' UIDs without > > actually verifying their identity. [#WOT-GRAPH]_ [#WOT-STATS]_ > > > > The web of trust is usually considered secondary to Gentoo's internal > > trust system based on key fingerprints stored in LDAP and distributing > > via the website. While this system reliably covers all Gentoo > > developers, it has three major drawbacks: > > > > 1. It is entirely customary and therefore requires customized software > > to use. In other words, it's of limited usefulness to people outside > > Gentoo or does not work out of the box there. > > s/customary/custom? > > > > 2. At least in the current form, it is entirely limited to Gentoo > > developers. As such, it does not facilitate trust between them > > and the outer world. > > > > 3. It relies on a centralized server whose authenticity is in turn > > proved via PKI. This model is generally considered weak. > > > > Even if this trust system is to stay being central to Gentoo's needs, > > it should be beneficial for Gentoo developers start to improving > > the OpenPGP web of trust, both for the purpose of improving Gentoo's > > position in it and for the purpose of enabling better trust coverage > > between Gentoo developers, users and other people. > > > > Furthermore, the recent copyright policy established in GLEP 76 > > introduces the necessity of verifying real names of developers. Given > > that the Foundation wishes to avoid requesting document scans or other > > form of direct verification, the identity verification required > > for UID signing can also serve the needs of verifying the name > > for Certificate of Origin sign-off purposes. [#GLEP76]_ > > > > I don't see anything in glep 76 about requiring verification of the > signatures. It's my view (as trustee) that assertation by the signer > that 'this is my signature' is sufficient. Introducing more > verification should not be needed. That said I do think switching to a > WoT model has some merit, it's just that the name verification is a > side benefit, not a primary reason for the switch.
There's no plan to verify signatures of all contributors. However, I believe Gentoo developers should naturally go for higher standards. After all, if you don't care at all, why become a developer in the first place?
> > > Backwards Compatibility > > ======================= > > > > Gentoo does not use any particular web of trust policy at the moment. > > Not all of existing signatures conform to the new policy. Therefore, > > approving it is going to require, in some cases: > > > > a. replacing non-conformant user identifiers, > > > > b. revoking non-conformant signatures. > > > > Naturally, those actions can only be carried off by cooperating key > > owners. > > > > The policy specifies transitional periods for developers whose keys are > > not signed by anyone in the community yet. > > > > I do wonder about how this part will be enforced. >
It won't. -- Best regards, Michał Górny

Attachments

File name MIME type
signature.asc application/pgp-signature