On 03/22/2018 12:38 PM, Rich Freeman wrote: > On Thu, Mar 22, 2018 at 4:30 AM, Alexander Berntsen wrote: >> On 22/03/18 07:31, Benda Xu wrote: >>> We might be able to require GPG signed email to make a post. >> Almost definitely. >> >> But before bikeshedding that, it would be advisable to find out whether >> it would be a good idea in the first place. Unless you want only >> prospective developers to be able to contribute to the ML (maybe you do >> want that?), it seems like a poor idea to unnecessarily exclude anyone >> who doesn't care (nor want to care) about OpenPGP. > > That, and getting yourself whitelisted by a dev is gong to be a lower > barrier than having to meet one in-person to have a key signed. That > is unless devs just start signing keys for people they've never met > (which honestly doesn't really bother me much as I don't put much > faith in the WoT anyway), in which case it turns into a whitelist that > only comrel can un-whitelist since I don't think you can revoke a > signature. The one issuing the signature can also revoke it (see revsig in --edit-key). That said, I'd rather focus on our own devs having WoT and requiring it to become a developer long before we require it to be part of a mailing list. If anything the technical complexity of verifying it doesn't make much sense to me vs a simple whitelist. > > Plus signing emails is a pain if you don't use an MUA that has this > feature, and the web-based ones which do aren't very good. > -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3