Gentoo Archives: gentoo-project

From: Aaron Bauman <bman@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] [RFC] OpenPGP Authority Keys to provide validity of developer/service keys
Date: Sun, 17 Feb 2019 03:45:17
Message-Id: 20190217034510.GD1413@monkey
In Reply to: [gentoo-project] [RFC] OpenPGP Authority Keys to provide validity of developer/service keys by "Michał Górny"
1 On Sat, Feb 16, 2019 at 09:40:21AM +0100, Michał Górny wrote:
2 > Hi,
3 >
4 > Following the replies to my earlier GLEP, I'd like to separately discuss
5 > introducing Authority Keys to provide validity proof for @gentoo.org
6 > UIDs.
7 >
8
9 I believe you will find resistance from the usual crowd who are
10 advocating for key signing with validation of some form of
11 identification. However, I would offer that this identification
12 requirement does not help determine or predict intent.
13
14 Aside from that, I like the proposal and find it "meets in the middle"
15 of any other approaches out there. As it stands, users trust Gentoo as
16 a distribution and will most likely extend that trust with this process
17 in place.
18
19 Regarding the overall intent of keys and key signing, the goal would be
20 to inherently trust someone of which no ID is going to assist anyone in.
21 It is a perpetual process like any normal relationship and can be
22 altered at anytime.
23
24 This falls back on Gentoo to ensure we can trust those developers in
25 some form. I would offer that a potential "probationary" period be
26 established before that individuals key is signed by the distribution
27 and distributed. Possibly, it is a part of the recruitment process or
28 may need to be extended further. Ultimately, the recruiters and mentors
29 hold the line for the protection of the distribution when on-boarding new
30 developers.
31
32 I like it... let's do it!
33
34 --
35 Cheers,
36 Aaron

Attachments

File name MIME type
signature.asc application/pgp-signature