Gentoo Archives: gentoo-project

From: Michael Orlitzky <mjo@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?
Date: Wed, 04 Jan 2017 21:19:31
Message-Id: 0d38018a-c945-6475-13a6-19549c489841@gentoo.org
In Reply to: Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications? by Kristian Fiskerstrand
1 I'm not sold -- I just don't see how having my key signed provides any
2 additional trust at this point. It looks like the closest developers to
3 me are pesa and tetromino (hi!) at around 45 miles.
4
5 Suppose I go meet Davide. We can either,
6
7 a) Verify that we both have driver's licenses with the correct
8 information, and sign each others keys to verify that we
9 are who we say we are. This provides no additional security,
10 because my legal name isn't what I use to commit, nor is it
11 what you use to verify my commits.
12
13 b) Verify that we can each SSH into dev.gentoo.org, confirming
14 that I am really mjo and that he is really pesa. Again, we
15 already know that the guy who has mjo's key is mjo and the guy
16 who has pesa's key is pesa. Nothing new is learned.
17
18 If we do both, then you've learned that mjo was Michael Orlitzky at one
19 point in time. That's interesting metadata, but how does it provide
20 security?

Replies