Archives
Archives
| From: | Kristian Fiskerstrand <k_f@g.o> |
|---|---|
| To: | gentoo-project@l.g.o |
| Subject: | [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? |
| Date: | Wed, 04 Jan 2017 17:58:34 |
| Message-Id: | ae9009e8-8185-5050-d989-458ec0f97612@gentoo.org |
| 1 | With increasing focus on security in various contexts I'd like to |
| 2 | propose that we start discussing catching up with other distributions |
| 3 | and start requiring new developers' OpenPGP keyblocks to have at least |
| 4 | two signatures from existing developers before applications can be |
| 5 | made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
| 6 | |
| 7 | |
| 8 | E.g [Debian] has the following requirement: "To maintain the strong Web |
| 9 | of Trust that connects all Debian Developers, Applicants need to |
| 10 | identify themselves by providing an OpenPGP key that is signed by at |
| 11 | least two official Developers. To further ensure their identity, |
| 12 | signatures by other people (who do not need to be DDs, but should be |
| 13 | well connected in the overall Web of Trust) are strongly recommended." |
| 14 | |
| 15 | |
| 16 | References: |
| 17 | |
| 18 | [Debian] https://www.debian.org/devel/join/nm-checklist |
| 19 | |
| 20 | |
| 21 | Endnotes: |
| 22 | |
| 23 | [A] Possibly with an opt-out by application to council, in case there |
| 24 | are certain regions where this is considered non-feasable etc. |
| 25 | |
| 26 | -- |
| 27 | Kristian Fiskerstrand |
| 28 | OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 29 | fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
| File name | MIME type |
|---|---|
| signature.asc | application/pgp-signature |
| Subject | Author |
|---|---|
| Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Rich Freeman <rich0@g.o> |
| Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | "Michał Górny" <mgorny@g.o> |
| Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Dirkjan Ochtman <djc@g.o> |
| Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Kristian Fiskerstrand <k_f@g.o> |
| Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Alice Ferrazzi <alicef@g.o> |
| Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Andrew Savchenko <bircoph@g.o> |
| Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Aaron Bauman <bman@g.o> |