On Mon, Aug 11, 2003 at 11:35:19AM +0000 or thereabouts, Tavis Ormandy wrote:
> Well, however you choose to distribute keys theres the problem of
> getting everybody to create one..thats hardly a huge issue, and the
> problem exists for every method of distribution..using a keys.gentoo.org
> webserver is still "rendered useless" if you cant get everybody to
> generate and upload a key, how do you propose to deal with that?

The efforts we have underway with secure portage will require developers to
have and maintain a GPG key.  It will also require them to place said key
on a public keyserver.  

> none of the issues apply solely to my solution, and im certain the
> benefits outweigh the drawbacks.

Well, at this point, I'm inclined to reject this GLEP and/or ask you to
re-work it to incorporate some of the changes suggested by myself and
others.  Specifically: 

* Data needs to be maintained in one central repository.  
* I'm not opposed to offering fingerd as a means of data transport, as long
  as it pulls data from the central repository mentioned above.
* I'd also be open to allowing devs the option of *supplementing* the
  information available via fingerd by creating a .plan or whatever.
  However, the core info (GPG key, name, herds info, etc.) needs to be
  maintained in the central repository.

Basically, I see the benefits of offering fingerd as a service to our users
and am willing to support that, infrastructure-wise.  I do not agree,
however, that fingerd should be the *primary* method of distributing this
info, nor do I support the idea of storing critical information such as GPG
keys in developer home dirs -- at least not as the primary "official"
repository.

--kurt