Gentoo Archives: gentoo-project

From: "Andreas K. Huettel" <dilfridge@g.o>
To: gentoo-project@l.g.o
Cc: Rich Freeman <rich0@g.o>
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Fri, 01 Feb 2019 12:51:13
Message-Id: 516346270.SVv7vubeFm@porto
In Reply to: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust by Rich Freeman
Am Donnerstag, 31. Januar 2019, 18:33:25 CET schrieb Rich Freeman:
> On Thu, Jan 31, 2019 at 8:56 AM Michał Górny <mgorny@g.o> wrote: > > 1. It is entirely customary and therefore requires customized software > > > > to use. In other words, it's of limited usefulness to people outside > > Gentoo or does not work out of the box there. > > This part could be addressed easily by having Gentoo create a signing > key, and automatically signing all dev keys based on LDAP using it. > Then users can trust that one key and inherit trust for the rest. > > Users have to opt into the trust model by trusting somebody's key no > matter what. No reason that couldn't be a centrally-managed one.
Nitpicking: Gentoo infra would only sign a @gentoo.org uid, and whether it should contain a name or not would need to be defined (and published somewhere as signature policy). But yes, that is a (different) obvious way to go. -- Andreas K. Hüttel dilfridge@g.o Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice)

Attachments

File name MIME type
signature.asc application/pgp-signature