Gentoo Archives: gentoo-project

From: Rich Freeman <rich0@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Thu, 31 Jan 2019 17:33:39
Message-Id: CAGfcS_ka1LtXk6pJ9GSN9BJ_tiNg5rOWM+bfbP3KtCQ6odTJkw@mail.gmail.com
In Reply to: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust by "Michał Górny"
1 On Thu, Jan 31, 2019 at 8:56 AM Michał Górny <mgorny@g.o> wrote:
2 >
3 > 1. It is entirely customary and therefore requires customized software
4 > to use. In other words, it's of limited usefulness to people outside
5 > Gentoo or does not work out of the box there.
6
7 This part could be addressed easily by having Gentoo create a signing
8 key, and automatically signing all dev keys based on LDAP using it.
9 Then users can trust that one key and inherit trust for the rest.
10
11 Users have to opt into the trust model by trusting somebody's key no
12 matter what. No reason that couldn't be a centrally-managed one.
13
14 I'll also agree with the comment that physically interacting with
15 people is not all that easy. There are many areas of the world where
16 FOSS developers are relatively uncommon, let alone Gentoo ones.
17 Unless those alternate organizations have VERY broad coverage (such as
18 an alternative of a notary recognized by any country or something like
19 that) you're still going to have issues.
20
21 > Verify the person's real name (at least for the user identifier
22 > used for copyright purposes). This is usually done through
23 > verifying an identification document with photograph. It is
24 > a good idea to ask for the document type earlier, and read on
25 > forgery protections used.
26
27 "usually"? "identification document"? Does this mean that an
28 appropriate method of verification is entirely up to individual
29 discretion? If so that makes the process of getting every key signed
30 fairly trivial as long as two people have (in?)appropriately-rigorous
31 standards...
32
33 --
34 Rich

Replies

Subject Author
Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust "Andreas K. Huettel" <dilfridge@g.o>
Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust "Michał Górny" <mgorny@g.o>