| 1 |
On 01/06/2017 01:49 PM, William L. Thomson Jr. wrote: |
| 2 |
> There isn't a real need for OpenGPG signatures on applications |
| 3 |
|
| 4 |
I disagree. Becoming a Gentoo developer gives you a key to a clubhouse, |
| 5 |
so to speak. We need to be sure that we're trusting exactly one person |
| 6 |
(in this case, a GPG/SSH key) and granting them access. It keeps |
| 7 |
Gentoo's Web of Trust a little better managed, as it limits vulnerability. |
| 8 |
|
| 9 |
That said: sure, there's nothing stopping a group from using a single |
| 10 |
key, but they'd have to be incredibly well-coordinated and agree on |
| 11 |
practically all of their communications, commit messages, etc. The |
| 12 |
likelihood that producing a single GPG key and single SSH key is a large |
| 13 |
barrier to Gentoo entry is low, especially considering we're entrusting |
| 14 |
them to be ideologically and technically savvy. If they can't leap the |
| 15 |
minor hurdle of producing the keys necessary to access the servers, can |
| 16 |
they be trusted to write decent ebuilds, manage infra, or understand |
| 17 |
enough about Gentoo to hold a vote-bearing position? |
| 18 |
|
| 19 |
In the grand scheme of things, producing a key and asking for one to get |
| 20 |
access isn't a big deal. Any issues with bureaucracy and recruitment is |
| 21 |
definitely elsewhere; GPG/SSH is the easiest part. |
| 22 |
|
| 23 |
This verification process that some have thrown around is a plus, but |
| 24 |
not something I'd consider required unless we approve specific methods |
| 25 |
of verification and it's not unreasonable. (For example, having a quick |
| 26 |
video conversation and sharing the contents of their keys live, etc) |
| 27 |
|
| 28 |
There are still pitfalls with that, too, however, because some of us may |
| 29 |
not have constant home connections or very much bandwidth (think |
| 30 |
dial-up). It's for that reason I'm okay with keys but against forced |
| 31 |
verification. |
| 32 |
-- |
| 33 |
Daniel Campbell - Gentoo Developer |
| 34 |
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net |
| 35 |
fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 |
Archives