1 |
On 01/04/2017 09:14 PM, Michael Orlitzky wrote: |
2 |
> On 01/04/2017 02:47 PM, Kristian Fiskerstrand wrote: |
3 |
>> On 01/04/2017 06:58 PM, Kristian Fiskerstrand wrote: |
4 |
>>> With increasing focus on security in various contexts I'd like to |
5 |
>>> propose that we start discussing catching up with other distributions |
6 |
>>> and start requiring new developers' OpenPGP keyblocks to have at least |
7 |
>>> two signatures from existing developers before applications can be |
8 |
>>> made[A]. Amongst other things This helps building the Gentoo Web of Trust. |
9 |
>>> |
10 |
> |
11 |
> By analogy with the CA system for websites: I don't care if the |
12 |
> government of China thinks you're the Bank of America. All I want to |
13 |
> know is, are you the guy that has my money? |
14 |
> |
15 |
> Likewise, I don't care if MichaĆ thinks you look like Kristian |
16 |
> Fiskerstrand. All I want to know is, are you the guy that passed the |
17 |
> quizzes and pasted his key into LDAP? You can change your name, move to |
18 |
> another country, switch genders -- I don't care -- you'll always be |
19 |
> 0x0B7F8B60E3EDFAE3 to me. Having others verify your name is interesting |
20 |
> metadata, but it isn't your primary key. |
21 |
> |
22 |
> |
23 |
|
24 |
Hopefully the ID would be the full fingerprint and not the keyid :) But |
25 |
this is likely sufficient for existing developers, indeed, because trust |
26 |
is built over time. However, when bringing in new developers that have |
27 |
full commit access to the tree this becomes more murky. One way to |
28 |
restrict that is of course a review system and partitioning on the areas |
29 |
it is possible to contribute, but for the overall community building, I |
30 |
consider having a stronger OpenPGP Web of Trust necessary, and that |
31 |
includes entrance of new developers. |
32 |
|
33 |
That might mean that the proposal is a two step rocket, first we need to |
34 |
build a stronger Web of Trust amongst existing developers and get more |
35 |
visibility in participation in local events happening around, which is |
36 |
also constructive in terms of attracting new recruits. And once that is |
37 |
established start enforcing more stringent rules when it comes to new |
38 |
developer applications. |
39 |
|
40 |
-- |
41 |
Kristian Fiskerstrand |
42 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
43 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |