From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q3CFj-0005NO-Lu for garchives@archives.gentoo.org; Fri, 25 Mar 2011 19:00:56 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E654D1C0AC; Fri, 25 Mar 2011 19:00:26 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id A52791C08E for ; Fri, 25 Mar 2011 18:59:46 +0000 (UTC) Received: from [66.170.231.191] (unknown [66.170.231.191]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: c1pher) by smtp.gentoo.org (Postfix) with ESMTPSA id 437241BC10A for ; Fri, 25 Mar 2011 18:59:45 +0000 (UTC) Message-ID: <4D8CE590.8060905@gentoo.org> Date: Fri, 25 Mar 2011 14:57:20 -0400 From: Dane Smith User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110321 Thunderbird/3.1.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: rejecting unsigned commits References: <20110325074824.TAf2c206.tv@veller.net> <201103250953.19757.dilfridge@gentoo.org> In-Reply-To: X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: 498164095a2a91d434b6e6a8ec118b1f -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/25/2011 02:46 PM, Mike Frysinger wrote: > On Fri, Mar 25, 2011 at 4:53 AM, Andreas K. Huettel wrote: >> Of course now we can add additional requirements: >> >> * The key must have an userid that refers to an official Gentoo e-mail >> address. E.g. dilfridge@gentoo.org > > no. there's no reason for this requirement, and it prevents proxy > maintenance long term. e-mail addresses do not verify identity, > verifying identify verifies identity. this is the point of the web of > trust. > -mike > We are somewhat limited in the amount that we can verify "identity." Sure you can get a decent web of trust from signing the keys of people you've met at conferences, however, there will be people outside of that web. What we need to verify is rather that the person who made the commit is someone who is authorized to make the commit and that it was in no way tampered with. - -- Dane Smith (c1pher) Gentoo Linux Developer -- QA / Crypto / Sunrise / x86 RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNjOWQAAoJEEsurZwMLhUxKnMQAKKbtRbdIDK++MpSWEJKg4Un gBhlPRtZ4CxoNGh5DRcgHD4k6eq8a7fE9MjPuge9/prDfLjmFW7nr0FJ9olZzXoG F5qvsCerpPNN2dw6ccCotP3UQCPyjADdZ4mRvmcMdlWdzluq3rD631mzEw8+m4cM EJz1DF2q9Oi2Zca8wxlPXf3+11NqHt2bnMWQhkoWFDtAVLD+rPoIsZsV6mRz+ip7 uWX8TiMoZCJgRAA0NqCVph4B3kGzn+xcwHuvlcoK87j7ShZKJD4sh0W6GOoewq9A Ei+Idsgx+POYg7t8q5khD2tJQRBBSEnBqARgnMJnun6WA4w+Wls7Hw9nidttBXuY isbdOUy4t7G2W2l7juG83RuGxLJ4UQMKcD4dWMKcpgHmU5ZXl6W2q+lgMIf5oz6x SFk6UGxwf8QbJVL65tKQRytZfdJS1zGvtfdofTHLIYMofhobZH9TqqhZLr7Nf0l3 wPukQA7I212bfCjP3VNApVdAtAIJk353hWloGk0xOQBzMqHraIX7hnPxdHg+qVOo MjCTt9JnlynkwKqPUdrtyjTH3vXpHuyBqy4wSwpfoaJDetDAtsHOcoZxK9LR4xtl FQ8AdYADSDmMPSsbd1SrxLA4XM7BHJx1LolxzlGz4s08SnCaIHoVD9EChRr3IkL2 OFwD0Su4CZ9mQBjsYy8K =kuoA -----END PGP SIGNATURE-----