Am Donnerstag, 31. Januar 2019, 18:33:25 CET schrieb Rich Freeman:
> On Thu, Jan 31, 2019 at 8:56 AM Michał Górny <mgorny@g.o> wrote:
> > 1. It is entirely customary and therefore requires customized software
> >
> > to use. In other words, it's of limited usefulness to people outside
> > Gentoo or does not work out of the box there.
>
> This part could be addressed easily by having Gentoo create a signing
> key, and automatically signing all dev keys based on LDAP using it.
> Then users can trust that one key and inherit trust for the rest.
>
> Users have to opt into the trust model by trusting somebody's key no
> matter what. No reason that couldn't be a centrally-managed one.
Nitpicking: Gentoo infra would only sign a @gentoo.org uid, and whether it
should contain a name or not would need to be defined (and published somewhere
as signature policy).
But yes, that is a (different) obvious way to go.
--
Andreas K. Hüttel
dilfridge@g.o
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)