Gentoo Archives: gentoo-project

From: "Michał Górny" <mgorny@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Fri, 01 Feb 2019 14:20:36
Message-Id: 1549030828.722.3.camel@gentoo.org
In Reply to: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust by Matthew Thode
1 On Thu, 2019-01-31 at 09:32 -0600, Matthew Thode wrote:
2 > On 19-01-31 14:56:48, Michał Górny wrote:
3 > > Motivation
4 > > ==========
5 > >
6 > > While Gentoo observes the status of OpenPGP web of trust for many years,
7 > > there never has been a proper push to get all developers covered by it
8 > > or even formalize the rules of signing one another's keys. Apparently,
9 > > there are still many Gentoo developers who do not have their
10 > > ``@gentoo.org`` UID signed by another active developer. Historically
11 > > there were also cases of developers signing others' UIDs without
12 > > actually verifying their identity. [#WOT-GRAPH]_ [#WOT-STATS]_
13 > >
14 > > The web of trust is usually considered secondary to Gentoo's internal
15 > > trust system based on key fingerprints stored in LDAP and distributing
16 > > via the website. While this system reliably covers all Gentoo
17 > > developers, it has three major drawbacks:
18 > >
19 > > 1. It is entirely customary and therefore requires customized software
20 > > to use. In other words, it's of limited usefulness to people outside
21 > > Gentoo or does not work out of the box there.
22 >
23 > s/customary/custom?
24 > >
25 > > 2. At least in the current form, it is entirely limited to Gentoo
26 > > developers. As such, it does not facilitate trust between them
27 > > and the outer world.
28 > >
29 > > 3. It relies on a centralized server whose authenticity is in turn
30 > > proved via PKI. This model is generally considered weak.
31 > >
32 > > Even if this trust system is to stay being central to Gentoo's needs,
33 > > it should be beneficial for Gentoo developers start to improving
34 > > the OpenPGP web of trust, both for the purpose of improving Gentoo's
35 > > position in it and for the purpose of enabling better trust coverage
36 > > between Gentoo developers, users and other people.
37 > >
38 > > Furthermore, the recent copyright policy established in GLEP 76
39 > > introduces the necessity of verifying real names of developers. Given
40 > > that the Foundation wishes to avoid requesting document scans or other
41 > > form of direct verification, the identity verification required
42 > > for UID signing can also serve the needs of verifying the name
43 > > for Certificate of Origin sign-off purposes. [#GLEP76]_
44 > >
45 >
46 > I don't see anything in glep 76 about requiring verification of the
47 > signatures. It's my view (as trustee) that assertation by the signer
48 > that 'this is my signature' is sufficient. Introducing more
49 > verification should not be needed. That said I do think switching to a
50 > WoT model has some merit, it's just that the name verification is a
51 > side benefit, not a primary reason for the switch.
52
53 There's no plan to verify signatures of all contributors. However,
54 I believe Gentoo developers should naturally go for higher standards.
55 After all, if you don't care at all, why become a developer in the first
56 place?
57
58 >
59 > > Backwards Compatibility
60 > > =======================
61 > >
62 > > Gentoo does not use any particular web of trust policy at the moment.
63 > > Not all of existing signatures conform to the new policy. Therefore,
64 > > approving it is going to require, in some cases:
65 > >
66 > > a. replacing non-conformant user identifiers,
67 > >
68 > > b. revoking non-conformant signatures.
69 > >
70 > > Naturally, those actions can only be carried off by cooperating key
71 > > owners.
72 > >
73 > > The policy specifies transitional periods for developers whose keys are
74 > > not signed by anyone in the community yet.
75 > >
76 >
77 > I do wonder about how this part will be enforced.
78 >
79
80 It won't.
81
82 --
83 Best regards,
84 Michał Górny

Attachments

File name MIME type
signature.asc application/pgp-signature