From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q3JAK-0002Pz-G0 for garchives@archives.gentoo.org; Sat, 26 Mar 2011 02:23:48 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 879021C0BB; Sat, 26 Mar 2011 02:23:32 +0000 (UTC) Received: from mail-iy0-f181.google.com (mail-iy0-f181.google.com [209.85.210.181]) by pigeon.gentoo.org (Postfix) with ESMTP id BF2181C04B for ; Sat, 26 Mar 2011 02:22:56 +0000 (UTC) Received: by iyb26 with SMTP id 26so2142696iyb.40 for ; Fri, 25 Mar 2011 19:22:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:from :date:x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; bh=fDWoVegx5xU5w7yfAKuxJCJlZvJy4IFXDg7dUIxM2fI=; b=Zdj0zW9f+h2PVBKLoFT6Z6O4jZBSRQHlJvF+etnUln73WLodGGYV+xxJu5pnO5j/h9 JXKb/JTifZzioYpgcTz+bHxxwWmqTDdyFOUzSDsm4FG3Kx+CpryUOuyZ8ofACz0X7jmw EljJlgHM3Nd768jlutqzJZFFA8YDNYc1PMKtI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; b=kQYasGlUnonS/2MSjLl0VBopcKmwMhtg2A40EK4QPo23UZQCRjcbLSQo6EWThmd4Ok YTHFOsaZMYnpCo7Y9UOUaV4nq0I7RS81Pkrl43HdTPUe7sYrz5unP3HgDXAkfRwOxNRw rdhhS245U3mharobF34PLnnrnKx1cRUdgAmpM= Received: by 10.42.134.132 with SMTP id l4mr2353422ict.13.1301106176232; Fri, 25 Mar 2011 19:22:56 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Sender: vapierfilter@gmail.com Received: by 10.231.11.195 with HTTP; Fri, 25 Mar 2011 19:22:36 -0700 (PDT) In-Reply-To: <201103252133.27978.dilfridge@gentoo.org> References: <201103252050.13759.dilfridge@gentoo.org> <201103252133.27978.dilfridge@gentoo.org> From: Mike Frysinger Date: Fri, 25 Mar 2011 22:22:36 -0400 X-Google-Sender-Auth: QsXsNNtd81wibnhy1XYH7ptSQTI Message-ID: Subject: Re: [gentoo-dev] Re: rejecting unsigned commits To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: eac9967aea4384c3840f3c21f8c345a0 On Fri, Mar 25, 2011 at 4:33 PM, Andreas K. Huettel wrote: >> and no where do we require you to generate a gpg key bound to the >> Gentoo e-mail address. =A0we require you to provide a gpg key only. >> like you said *right here*, we have 0 information to identify you, and >> using a Gentoo e-mail address adds *nothing* to that. =A0so why add a >> completely useless requirement ? > > Because, pointing out the obvious, the key can contain all sorts of rando= m true or false information. I could have an user id saying "Barack Obama <= president@whitehouse.gov>". > > To be able to do key validation based on gpg's mechanisms, an userid need= s to be signed. As e.g. Scarabeus and Wired can confirm, I'm definitely not= Barack Obama, but for less obvious cases the validity of the provided iden= tity may be unclear. > > Now, if I add an userid "" to my key, this userid d= oes not contain any information that is not already verified and "in the Ge= ntoo infra data". So, this one userid could be signed immediately by a cent= ral instance without any further fuss. first off, fix your e-mail client. this long line crap is ridiculous. second, anyone can add/remove e-mail addresses. we arent verifying e-mail addresses, we're verifying keys. the *only* thing that matters is that the key we have on file (0xabcd) is the one that was used to sign. > It's imho not a hard requirement, but it considerably eases administratio= n. So why not require it for devs? it makes 0 difference to administration -mike