Gentoo Archives: gentoo-project

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-project@l.g.o, Rich Freeman <rich0@g.o>
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Fri, 01 Feb 2019 14:54:49
Message-Id: 1af4e9ff-970c-13bf-77bc-1d8bfeded7e6@gentoo.org
On 2/1/19 3:32 PM, Rich Freeman wrote:
> On Fri, Feb 1, 2019 at 9:17 AM Cynede <cynede@g.o> wrote: >> >> I'd like Gentoo to support pseudonyms (for the purposes of privacy) as >> FSF projects does, and in that case ID/webcam verification with OpenPGP >> keys being signed by members of trustee makes real sense. (probably >> that could be off-topic here) > > IMO this is fairly tangential to the WoT issue. > > However, I'll point out the main issue with allowing pseudonyms is > that it basically reduces skin in the game. People are probably less > likely to treat each other terribly if it will result in them never > getting another job. On the other hand, people will behave better if > they know their reputation within Gentoo will translate into better > opportunities for them in the real world. >
Exactly, and that is only on the social element. Now what should we do if we don't know the identities of our developers and there is a remote code execution committed to our tree, obviously malicious, or someone misuse access to information[N1]. This basically builds on the argument of skin in the game, but it can be dragged further than your example. Notes [N1] Infra is in a special role here, but so are a lot of other projects like comrel just to name another. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Attachments

File name MIME type
signature.asc application/pgp-signature