| 1 |
On 01/04/2017 09:14 PM, Michael Orlitzky wrote: |
| 2 |
> On 01/04/2017 02:47 PM, Kristian Fiskerstrand wrote: |
| 3 |
>> On 01/04/2017 06:58 PM, Kristian Fiskerstrand wrote: |
| 4 |
>>> With increasing focus on security in various contexts I'd like to |
| 5 |
>>> propose that we start discussing catching up with other distributions |
| 6 |
>>> and start requiring new developers' OpenPGP keyblocks to have at least |
| 7 |
>>> two signatures from existing developers before applications can be |
| 8 |
>>> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
| 9 |
>>> |
| 10 |
> |
| 11 |
> By analogy with the CA system for websites: I don't care if the |
| 12 |
> government of China thinks you're the Bank of America. All I want to |
| 13 |
> know is, are you the guy that has my money? |
| 14 |
> |
| 15 |
> Likewise, I don't care if MichaĆ thinks you look like Kristian |
| 16 |
> Fiskerstrand. All I want to know is, are you the guy that passed the |
| 17 |
> quizzes and pasted his key into LDAP? You can change your name, move to |
| 18 |
> another country, switch genders -- I don't care -- you'll always be |
| 19 |
> 0x0B7F8B60E3EDFAE3 to me. Having others verify your name is interesting |
| 20 |
> metadata, but it isn't your primary key. |
| 21 |
> |
| 22 |
> |
| 23 |
|
| 24 |
Hopefully the ID would be the full fingerprint and not the keyid :) But |
| 25 |
this is likely sufficient for existing developers, indeed, because trust |
| 26 |
is built over time. However, when bringing in new developers that have |
| 27 |
full commit access to the tree this becomes more murky. One way to |
| 28 |
restrict that is of course a review system and partitioning on the areas |
| 29 |
it is possible to contribute, but for the overall community building, I |
| 30 |
consider having a stronger OpenPGP Web of Trust necessary, and that |
| 31 |
includes entrance of new developers. |
| 32 |
|
| 33 |
That might mean that the proposal is a two step rocket, first we need to |
| 34 |
build a stronger Web of Trust amongst existing developers and get more |
| 35 |
visibility in participation in local events happening around, which is |
| 36 |
also constructive in terms of attracting new recruits. And once that is |
| 37 |
established start enforcing more stringent rules when it comes to new |
| 38 |
developer applications. |
| 39 |
|
| 40 |
-- |
| 41 |
Kristian Fiskerstrand |
| 42 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 43 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives