1 |
On 01/06/2017 01:49 PM, William L. Thomson Jr. wrote: |
2 |
> There isn't a real need for OpenGPG signatures on applications |
3 |
|
4 |
I disagree. Becoming a Gentoo developer gives you a key to a clubhouse, |
5 |
so to speak. We need to be sure that we're trusting exactly one person |
6 |
(in this case, a GPG/SSH key) and granting them access. It keeps |
7 |
Gentoo's Web of Trust a little better managed, as it limits vulnerability. |
8 |
|
9 |
That said: sure, there's nothing stopping a group from using a single |
10 |
key, but they'd have to be incredibly well-coordinated and agree on |
11 |
practically all of their communications, commit messages, etc. The |
12 |
likelihood that producing a single GPG key and single SSH key is a large |
13 |
barrier to Gentoo entry is low, especially considering we're entrusting |
14 |
them to be ideologically and technically savvy. If they can't leap the |
15 |
minor hurdle of producing the keys necessary to access the servers, can |
16 |
they be trusted to write decent ebuilds, manage infra, or understand |
17 |
enough about Gentoo to hold a vote-bearing position? |
18 |
|
19 |
In the grand scheme of things, producing a key and asking for one to get |
20 |
access isn't a big deal. Any issues with bureaucracy and recruitment is |
21 |
definitely elsewhere; GPG/SSH is the easiest part. |
22 |
|
23 |
This verification process that some have thrown around is a plus, but |
24 |
not something I'd consider required unless we approve specific methods |
25 |
of verification and it's not unreasonable. (For example, having a quick |
26 |
video conversation and sharing the contents of their keys live, etc) |
27 |
|
28 |
There are still pitfalls with that, too, however, because some of us may |
29 |
not have constant home connections or very much bandwidth (think |
30 |
dial-up). It's for that reason I'm okay with keys but against forced |
31 |
verification. |
32 |
-- |
33 |
Daniel Campbell - Gentoo Developer |
34 |
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net |
35 |
fpr: AE03 9064 AE00 053C 270C 1DE4 6F7A 9091 1EA0 55D6 |