From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 66DE9138334 for ; Sat, 23 Feb 2019 07:57:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 30CB5E08D4; Sat, 23 Feb 2019 07:57:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D2CD5E08D3 for ; Sat, 23 Feb 2019 07:57:43 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id AACEB335DD0; Sat, 23 Feb 2019 07:57:41 +0000 (UTC) Message-ID: <1550908657.752.11.camel@gentoo.org> Subject: Re: [gentoo-project] [RFC] OpenPGP Authority Keys to provide validity of developer/service keys From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-project@lists.gentoo.org Date: Sat, 23 Feb 2019 08:57:37 +0100 In-Reply-To: References: <1550306421.831.16.camel@gentoo.org> <1550393754.1257.5.camel@gentoo.org> <20190217185416.nbgwm266moyk6j2u@gentoo.org> <1550496176.727.9.camel@gentoo.org> <1550606478.912.10.camel@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-osI1Zp3UUkzeetqvegYm" X-Mailer: Evolution 3.26.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 X-Archives-Salt: 5dc2141e-6fdd-40fd-bb1a-45488dd52d5b X-Archives-Hash: 8440bbfdb68ae10c2ab333c9744d8ff9 --=-osI1Zp3UUkzeetqvegYm Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2019-02-19 at 16:54 -0500, Alec Warner wrote: > > It seems like it would make far more sense to look at other direct > > measures of activity than how up-to-date their gpg key is in the > > keyservers. > >=20 >=20 > I'm bad at GPG. However, I believe updating my keys to adapt to the polic= y > took me about 30 minutes. Its required once every 12 months. >=20 > Where should we set the bar here, if not "please contribute at least 30 > minutes every year to retain your developership." >=20 There are a few problems here. Firstly, we have a fair share of developers who don't follow any news, and just do little Gentoo in their little corner. You need to find a way to communicate this new requirement to them. They will be probably outraged they have to do yet another thing to stay developers. Secondly, retiring developers is a nasty business. Imagine people who haven't done anything in N years, ignore retirement mail and then insult us that we didn't go out of our way to discover they've lost access to their Gentoo account years ago and never bothered to ask for reinstating it. Now imagine what we're going to get for dare trying to retire someone who ignored a few CAFF mails. Or retiring the same person after it ignored all the retirement mail. Thirdly, as I said, it introduces operation gaps. My original goal is to make it possible for users to mail devs anytime. It's not going to be nice to have gaps of one week between old signature expiring and developer getting around to publish a new one. Not to mention the obvious failure of importing the signature and forgetting to send it to keyservers. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-osI1Zp3UUkzeetqvegYm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAlxw/PJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQqM9RAAr927Yz+S/MSYrpua7yVvTdlgKT/w5O4IS1GJmmWSvi1lI9hdNZxY/jil N9ZNeonGN35XJJ8HEyV3dzJySD04tWZfWrYvwgWE5p87gF8OhnM2j6PDVXZZTpCr 2tRgv0oZ9V2/tYRfotozfEFUaw/G/PEDT2ZeTubqqQDjv6HTBTyTaBBT3CvP/JPY 7Rr7RYoyT8LCrpQxgO3w7u4fG5JvdQYOPvpgAKJLr39DmflhoZNBklK3M4AqQEdp jafT/xLu+iSZ74Buf8CXtdF9qO83yR9b7h5JogvSkFdxJO2o8bnn/HCDDRd2xN43 ViGVcJzmL4y8fPBoBnyF9K78UXd6Vaco80CT/T3bLNTD2T3JaU7AdVNfdaec4ifN PJHfVSn3F0PsRDUW3NugMojMyRJ7DfLQX8Zre2XZweB+oViLLFBUhrajZkhJklm4 W9pAY8igxuUuDeSUxjYZqBIkZ1GkoAliMnGcUn2GwF9aWUjJ5dyX1NmnAVfLPk7V KGsXYhmFN9pAHpTdAagPoG2TJn+t60viuZAcQABczouzjLYoI62cZw5+kOPlpR/1 EGCUpToYwcNJs+XuGSNbAQwegT7Pj3vfyqdpHXekXGpxxUUxYfb/nXvzJ2c5WIhQ 04Zu3U5UgYqe7AAhD9aCEkhFO7CKHV9IHqFKMOsyHMUTjzLnQqU= =orHR -----END PGP SIGNATURE----- --=-osI1Zp3UUkzeetqvegYm--