1 |
On Sat, Feb 16, 2019 at 09:40:21AM +0100, Michał Górny wrote: |
2 |
> Hi, |
3 |
> |
4 |
> Following the replies to my earlier GLEP, I'd like to separately discuss |
5 |
> introducing Authority Keys to provide validity proof for @gentoo.org |
6 |
> UIDs. |
7 |
> |
8 |
|
9 |
I believe you will find resistance from the usual crowd who are |
10 |
advocating for key signing with validation of some form of |
11 |
identification. However, I would offer that this identification |
12 |
requirement does not help determine or predict intent. |
13 |
|
14 |
Aside from that, I like the proposal and find it "meets in the middle" |
15 |
of any other approaches out there. As it stands, users trust Gentoo as |
16 |
a distribution and will most likely extend that trust with this process |
17 |
in place. |
18 |
|
19 |
Regarding the overall intent of keys and key signing, the goal would be |
20 |
to inherently trust someone of which no ID is going to assist anyone in. |
21 |
It is a perpetual process like any normal relationship and can be |
22 |
altered at anytime. |
23 |
|
24 |
This falls back on Gentoo to ensure we can trust those developers in |
25 |
some form. I would offer that a potential "probationary" period be |
26 |
established before that individuals key is signed by the distribution |
27 |
and distributed. Possibly, it is a part of the recruitment process or |
28 |
may need to be extended further. Ultimately, the recruiters and mentors |
29 |
hold the line for the protection of the distribution when on-boarding new |
30 |
developers. |
31 |
|
32 |
I like it... let's do it! |
33 |
|
34 |
-- |
35 |
Cheers, |
36 |
Aaron |