From: | Kristian Fiskerstrand <k_f@g.o> |
---|---|
To: | gentoo-project@l.g.o |
Subject: | [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? |
Date: | Wed, 04 Jan 2017 17:58:34 |
Message-Id: | ae9009e8-8185-5050-d989-458ec0f97612@gentoo.org |
1 | With increasing focus on security in various contexts I'd like to |
2 | propose that we start discussing catching up with other distributions |
3 | and start requiring new developers' OpenPGP keyblocks to have at least |
4 | two signatures from existing developers before applications can be |
5 | made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
6 | |
7 | |
8 | E.g [Debian] has the following requirement: "To maintain the strong Web |
9 | of Trust that connects all Debian Developers, Applicants need to |
10 | identify themselves by providing an OpenPGP key that is signed by at |
11 | least two official Developers. To further ensure their identity, |
12 | signatures by other people (who do not need to be DDs, but should be |
13 | well connected in the overall Web of Trust) are strongly recommended." |
14 | |
15 | |
16 | References: |
17 | |
18 | [Debian] https://www.debian.org/devel/join/nm-checklist |
19 | |
20 | |
21 | Endnotes: |
22 | |
23 | [A] Possibly with an opt-out by application to council, in case there |
24 | are certain regions where this is considered non-feasable etc. |
25 | |
26 | -- |
27 | Kristian Fiskerstrand |
28 | OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
29 | fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
File name | MIME type |
---|---|
signature.asc | application/pgp-signature |
Subject | Author |
---|---|
Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Rich Freeman <rich0@g.o> |
Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | "Michał Górny" <mgorny@g.o> |
Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Dirkjan Ochtman <djc@g.o> |
Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Kristian Fiskerstrand <k_f@g.o> |
Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Alice Ferrazzi <alicef@g.o> |
Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Andrew Savchenko <bircoph@g.o> |
Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? | Aaron Bauman <bman@g.o> |