[gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1151 bytes --]

With increasing focus on security in various contexts I'd like to
propose that we start discussing catching up with other distributions
and start requiring new developers' OpenPGP keyblocks to have at least
two signatures from existing developers before applications can be
made[A]. Amongst other things This helps building the Gentoo Web of Trust.


E.g [Debian] has the following requirement: "To maintain the strong Web
of Trust that connects all Debian Developers, Applicants need to
identify themselves by providing an OpenPGP key that is signed by at
least two official Developers. To further ensure their identity,
signatures by other people (who do not need to be DDs, but should be
well connected in the overall Web of Trust) are strongly recommended."


References:

[Debian] https://www.debian.org/devel/join/nm-checklist


Endnotes:

[A] Possibly with an opt-out by application to council, in case there
are certain regions where this is considered non-feasable etc.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Wed, Jan 4, 2017 at 12:58 PM, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> With increasing focus on security in various contexts I'd like to
> propose that we start discussing catching up with other distributions
> and start requiring new developers' OpenPGP keyblocks to have at least
> two signatures from existing developers before applications can be
> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
>
>
> E.g [Debian] has the following requirement: "To maintain the strong Web
> of Trust that connects all Debian Developers, Applicants need to
> identify themselves by providing an OpenPGP key that is signed by at
> least two official Developers. To further ensure their identity,
> signatures by other people (who do not need to be DDs, but should be
> well connected in the overall Web of Trust) are strongly recommended."
>

Looking at our developer map this seems incredibly impractical.  I
know I've yet to actually bump into another Gentoo developer.  Sure, I
could fly out to SCALE or FOSDEM (which are about equidistant), but
this seems a bit much for a requirement, even if I'm likely to get
around to it one of these years.

Also, we have fairly specific requirements for our gpg signing keys,
so there is a good chance that any existing keys that candidates have
which bear signatures may not be usable for Gentoo, meaning that
they're starting out from ground zero.  I don't know if the intent is
that the signatures come from keys that meet our gpg key requirements,
but if so that will mean that most candidates will not have an
existing web of trust either.  Personally I met the Gentoo gpg
requirements by just generating a new key used for Gentoo signing
only, and it has no signatures at all.

Sure, it makes sense in an ideal world, but if we're going to go along
this route I think we need to come up with a more practical way of
getting developer signatures than bumping into them at conferences, or
happening to live nearby one.  I'm surprised Debian is able to make it
work, even with their larger developer counts.  I guess it could work
in areas with high concentrations, like Silicon Valley.  Maybe you
could get by with video conferencing and holding up passports/IDs,
though good luck finding a client for that which meets our social
contract and works on a Chromebook.  :)

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 1767 bytes --]

On Wednesday, January 4, 2017 1:55:37 PM EST Rich Freeman wrote:
> 
> Looking at our developer map this seems incredibly impractical.  I
> know I've yet to actually bump into another Gentoo developer.  

Despite the question of my social skills, I have met several in person at 
Linux World Expo. When manning the Gentoo booth, representing Gentoo, and also 
just attending. Why I take issue when others who have not met me in person 
question my social skills.... More so if they have not met other devs...

GPG key signing was something we did then, at least one year. 
Not sure if we did it every year, or routinely. We did it by exchanging IDs 
(fake or real?) at least we attempted  to prove the person was who they said 
they were in person. Then did the signing thing. 

> Sure, I
> could fly out to SCALE or FOSDEM (which are about equidistant), but
> this seems a bit much for a requirement, even if I'm likely to get
> around to it one of these years.

Ideally Gentoo has its own conference, though location would be hard. Not sure 
if that is more practical than trying to gather at an existing. It was 
something I was interested in when I was a trustee. Though would face the same 
geographic issues on what location would be central to all, if any.

I also had thoughts of helping to provide funds for travel to developers, and 
in a utopian world also provide development gear, laptop, etc. Gentoo being a 
501c6 like the NFL was, and PGA Tour. The PGA Tour provides laptops to 
members, Tiger Woods etc. Gentoo could be doing the same with proper 
organization, and a functional foundation.

So many things are possible with proper organization, leadership, and a strong 
foundation....

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Thu, Jan 5, 2017 at 1:00 PM, William L. Thomson Jr.
<wlt-ml@o-sinc.com> wrote:
>
> I also had thoughts of helping to provide funds for travel to developers, and
> in a utopian world also provide development gear, laptop, etc. Gentoo being a
> 501c6 like the NFL was, and PGA Tour. The PGA Tour provides laptops to
> members, Tiger Woods etc. Gentoo could be doing the same with proper
> organization, and a functional foundation.
>
> So many things are possible with proper organization, leadership, and a strong
> foundation....
>

Perhaps you mean a professional leadership and lots of money?  I'm not
convinced the average Gentoo developer would like Gentoo to run like
the NFL, Canonical, or even Apache.  None of these are small
community-based organizations.

I'd love to see something like an annual Gentoo conference, but part
of me wonders if the changes we'd need to make to have such a thing
would leave us happy with the result.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 2187 bytes --]

On Thursday, January 5, 2017 1:19:19 PM EST Rich Freeman wrote:
> On Thu, Jan 5, 2017 at 1:00 PM, William L. Thomson Jr.
> 
> <wlt-ml@o-sinc.com> wrote:
> > I also had thoughts of helping to provide funds for travel to developers,
> > and in a utopian world also provide development gear, laptop, etc. Gentoo
> > being a 501c6 like the NFL was, and PGA Tour. The PGA Tour provides
> > laptops to members, Tiger Woods etc. Gentoo could be doing the same with
> > proper organization, and a functional foundation.
> > 
> > So many things are possible with proper organization, leadership, and a
> > strong foundation....
> 
> Perhaps you mean a professional leadership and lots of money?  I'm not
> convinced the average Gentoo developer would like Gentoo to run like
> the NFL, Canonical, or even Apache.  None of these are small
> community-based organizations.

Works for FreeBSD, Gnome and many others. The idea is not to keep Gentoo 
small. Also not to continue to run Gentoo via consensus. Even democracies 
elect leaders who have their own agenda. They are not doing everything the way 
everyone who voted for them would want everything done.

It is called Leadership! Most leaders do not lead by consensus. To lead you 
will at times do things that will make others unhappy. While they may not be 
happy with process, it is the outcome that matters. If people do not like the 
outcome, new leader, new direction.

Every decision or action does not have to please everyone. Most organizations 
are not run that way, if any. That sort of thinking will keep things in a 
quagmire. You cannot please everyone all the time, or even some of the time. 
Still must be leadership to reach some direction that is felt to be the best 
for all.

Why leaders are typically elected more on ideals than a specific agenda. Not 
sure anyone who has voted for someone, agrees with every decision that leader 
made.

> I'd love to see something like an annual Gentoo conference, but part
> of me wonders if the changes we'd need to make to have such a thing
> would leave us happy with the result.

Why do people need to be happy? The difference between work and play is?

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Yury German]

[-- Attachment #1: Type: text/plain, Size: 2779 bytes --]

Can we please take the off topic discussion to somewhere else. This thread was very specific about GPG. If you want to turn it in to an off topic discussion (as usual) please start another thread that people can ignore. 
________________
Yury German
Gentoo Security Team | Planet Gentoo 
Email: blueknight@gentoo.org

GPG Fingerprint: 8858 89D6 C0C4 75C4 D0DD  FA00 EEAF ED89 024C 043

> On Jan 5, 2017, at 1:40 PM, William L. Thomson Jr. <wlt-ml@o-sinc.com> wrote:
> 
> On Thursday, January 5, 2017 1:19:19 PM EST Rich Freeman wrote:
>> On Thu, Jan 5, 2017 at 1:00 PM, William L. Thomson Jr.
>> 
>> <wlt-ml@o-sinc.com> wrote:
>>> I also had thoughts of helping to provide funds for travel to developers,
>>> and in a utopian world also provide development gear, laptop, etc. Gentoo
>>> being a 501c6 like the NFL was, and PGA Tour. The PGA Tour provides
>>> laptops to members, Tiger Woods etc. Gentoo could be doing the same with
>>> proper organization, and a functional foundation.
>>> 
>>> So many things are possible with proper organization, leadership, and a
>>> strong foundation....
>> 
>> Perhaps you mean a professional leadership and lots of money?  I'm not
>> convinced the average Gentoo developer would like Gentoo to run like
>> the NFL, Canonical, or even Apache.  None of these are small
>> community-based organizations.
> 
> Works for FreeBSD, Gnome and many others. The idea is not to keep Gentoo 
> small. Also not to continue to run Gentoo via consensus. Even democracies 
> elect leaders who have their own agenda. They are not doing everything the way 
> everyone who voted for them would want everything done.
> 
> It is called Leadership! Most leaders do not lead by consensus. To lead you 
> will at times do things that will make others unhappy. While they may not be 
> happy with process, it is the outcome that matters. If people do not like the 
> outcome, new leader, new direction.
> 
> Every decision or action does not have to please everyone. Most organizations 
> are not run that way, if any. That sort of thinking will keep things in a 
> quagmire. You cannot please everyone all the time, or even some of the time. 
> Still must be leadership to reach some direction that is felt to be the best 
> for all.
> 
> Why leaders are typically elected more on ideals than a specific agenda. Not 
> sure anyone who has voted for someone, agrees with every decision that leader 
> made.
> 
>> I'd love to see something like an annual Gentoo conference, but part
>> of me wonders if the changes we'd need to make to have such a thing
>> would leave us happy with the result.
> 
> Why do people need to be happy? The difference between work and play is?
> 
> -- 
> William L. Thomson Jr.


[-- Attachment #2: Type: text/html, Size: 6790 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 1418 bytes --]

On Thursday, January 5, 2017 1:47:04 PM EST Yury German wrote:
> Can we please take the off topic discussion to somewhere else. This thread
> was very specific about GPG. 

If you read my post, it was about GPG signing at LWE. Which I said if Gentoo 
had its own conference we could be doing that then. It is on topic, short of 1 
or 2 posts there after. With the first "off topic" non-gpg coming from a 
council member.

Your post is also off topic, and something that could be sent to individuals 
rather than on list adding to the noise. If I am going to request something of 
someone, I will do it privately vs publicly. It just adds to noise....

Also limiting the scope of discussion to just the thread topic, also means 
limiting creative thought. Many threads can start discussions in other areas 
people are not thinking about or actively discussing.

Like if this thread leads to another on organizing a global Gentoo Event and 
conference. That thread may never exist, if mentioning GPG signing at past 
events, etc did not come up.

> If you want to turn it in to an off topic
> discussion (as usual) please start another thread that people can ignore.

People should refrain from personal insults with such comments. Saying "as 
usual" is a insult. Implying that one routinely takes things off topic, is 
hardly a compliment.

Insults are a direct violation of the Gentoo CoC.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Matthew Thode]

[-- Attachment #1.1: Type: text/plain, Size: 1981 bytes --]

On 01/05/2017 01:13 PM, William L. Thomson Jr. wrote:
> On Thursday, January 5, 2017 1:47:04 PM EST Yury German wrote:
>> Can we please take the off topic discussion to somewhere else. This thread
>> was very specific about GPG. 
> 
> If you read my post, it was about GPG signing at LWE. Which I said if Gentoo 
> had its own conference we could be doing that then. It is on topic, short of 1 
> or 2 posts there after. With the first "off topic" non-gpg coming from a 
> council member.
> 
> Your post is also off topic, and something that could be sent to individuals 
> rather than on list adding to the noise. If I am going to request something of 
> someone, I will do it privately vs publicly. It just adds to noise....
> 
> Also limiting the scope of discussion to just the thread topic, also means 
> limiting creative thought. Many threads can start discussions in other areas 
> people are not thinking about or actively discussing.
> 
> Like if this thread leads to another on organizing a global Gentoo Event and 
> conference. That thread may never exist, if mentioning GPG signing at past 
> events, etc did not come up.
> 
>> If you want to turn it in to an off topic
>> discussion (as usual) please start another thread that people can ignore.
> 
> People should refrain from personal insults with such comments. Saying "as 
> usual" is a insult. Implying that one routinely takes things off topic, is 
> hardly a compliment.
> 
> Insults are a direct violation of the Gentoo CoC.
> 

nonetheless branching or bringing up a new topic (or tangentially
related topic) would still be better served in a new topic with a
reference to the 'parent' topic.  I think bringing up topics and not
branching properly actually harms the original conversation.  I know
that I want to abandon stuff once the sprawl gets too big just because
it's hard to track what people are actually talking about.

-- 
Matthew Thode (prometheanfire)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Dirkjan Ochtman]

On Thu, Jan 5, 2017 at 8:23 PM, Matthew Thode <prometheanfire@gentoo.org> wrote:
> nonetheless branching or bringing up a new topic (or tangentially
> related topic) would still be better served in a new topic with a
> reference to the 'parent' topic.  I think bringing up topics and not
> branching properly actually harms the original conversation.  I know
> that I want to abandon stuff once the sprawl gets too big just because
> it's hard to track what people are actually talking about.

+1. I think the discussion on general barrier to developer entry is a
good one to have, but let's have it with a new subject where people
can actually notice it, and not pollute Kristian's GPG proposal thread
with it.

Cheers,

Dirkjan

Re: [gentoo-project] OT Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 1487 bytes --]

I didn't take things off topic, it was another and I replied. I have since 
replied to people personally off list. Check spam/junk folders.

There has been 3, now with this 4 posts that are off topic, as replies to 2 
off topic posts. I fail to see how this is making it any better, and has now 
taking things from any sort of beneficial discussion.

While I did not do some of the initial off topic posts. I have started a new 
thread which others could have done. Even those replying as off topic, could 
have started a new thread on such. I even added OT to this thread topic which 
others could have done at any point and did not either.

Finally it breaks history when you start a new thread taking stuff from 
another. Anyone looking in archive or following the thread after the fact will 
have it break and have to find the trail. They will not be able to follow a 
thread to see how logically the discussion changed.

Like the new email I just posted. If anyone wants to see how we got there. 
They have to dig in another thread.

P.S.
I see lots of off topic stuff posted to many lists, some much more active than 
any of Gentoo's. I never see people saying your post is off topic. That alone 
is extremely rare. But Gentoo community loves to nitpick and control rather 
than just embrace chaos... Also much of what is said to me, I do not say to 
others. It is not up to me to tell another what is on topic or not. etc.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Raymond Jennings]

[-- Attachment #1: Type: text/plain, Size: 1491 bytes --]

On Thu, Jan 5, 2017 at 11:35 AM, Dirkjan Ochtman <djc@gentoo.org> wrote:

> On Thu, Jan 5, 2017 at 8:23 PM, Matthew Thode <prometheanfire@gentoo.org>
> wrote:
> > nonetheless branching or bringing up a new topic (or tangentially
> > related topic) would still be better served in a new topic with a
> > reference to the 'parent' topic.  I think bringing up topics and not
> > branching properly actually harms the original conversation.  I know
> > that I want to abandon stuff once the sprawl gets too big just because
> > it's hard to track what people are actually talking about.
>
> +1. I think the discussion on general barrier to developer entry is a
> good one to have, but let's have it with a new subject where people
> can actually notice it, and not pollute Kristian's GPG proposal thread
> with it.
>
> Cheers,
>
> Dirkjan
>
> Agreed here as well

The point of GPG related discussion is *authentication* of developers.

GPG endorsements is NOT meant to be anything more than "yes, I know this
guy, he is who he says he is and I can vouch for his identity"

Anything to do with "this guy should or should not be a developer"

That said, how do we make sure that new developers don't get screwed out of
devship by politics?  Can we make sure that someone isn't going to refuse a
GPG endorsement based on, say..."I know who you are and I believe you are
who you say you are, but I don't like you/think you stink as a
developer/whatever else so I'm not going to endorse you anyway"?

[-- Attachment #2: Type: text/html, Size: 2242 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Yury German]

[-- Attachment #1: Type: text/plain, Size: 1775 bytes --]

So saying in on original discussion.

Having gone through the recruitment process there was nothing that told Gentoo who I was other then the application. I could of put down something like Bugs L. Bunny and as long as I would reply to my Email address for Bugs Bunny and passed the tests, and answered to the name of Bugs I would of been a Gentoo developer (Do not get stuck on the name, using it as example).

I think that we need Authentication of who the people are. Personal opinion but a scan or a picture of a legal document (Passport / Driving License / Birth Certificate) with the official numbers blanked out should be part of the recruitment process. If that is the case the recruiter then has verification of who the person is. That document should not be stored anywhere, but in the ticket should be noted as verified. 

Getting on to GPG now… if that is the case and the identify is verified then a quick video chat for 5 seconds using any media would be enough for the recruiter to establish a web of trust. Then the recruiter as part of filing for access would also sign the GPG key and that would establish the web of trust.  Now how much you trust someone via GPG is your choice.   For example those that I met in person hold higher trust rating then those I did not. 

Now I know people said about time and constraints, travel, etc. Scanning your License, School ID (for students), etc is not a big deal. As long as it contains a picture is issued by some authority and contains a name, should be enough for us to provide the trust in that person besides their skills. 

________________
Yury German
Gentoo Security Team | Planet Gentoo
Email: blueknight@gentoo.org

GPG Fingerprint: 8858 89D6 C0C4 75C4 D0DD  FA00 EEAF ED89 024C 043



[-- Attachment #2: Type: text/html, Size: 5235 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[M. J. Everitt]

[-- Attachment #1.1.1: Type: text/plain, Size: 2041 bytes --]

On 05/01/17 22:39, Yury German wrote:
> So saying in on original discussion.
>
> Having gone through the recruitment process there was nothing that
> told Gentoo who I was other then the application. I could of put down
> something like Bugs L. Bunny and as long as I would reply to my Email
> address for Bugs Bunny and passed the tests, and answered to the name
> of Bugs I would of been a Gentoo developer (Do not get stuck on the
> name, using it as example).
>
> I think that we need Authentication of who the people are. Personal
> opinion but a scan or a picture of a legal document (Passport /
> Driving License / Birth Certificate) with the official numbers blanked
> out should be part of the recruitment process. If that is the case the
> recruiter then has verification of who the person is. That document
> should not be stored anywhere, but in the ticket should be noted as
> verified. 
>
> Getting on to GPG now… if that is the case and the identify is
> verified then a quick video chat for 5 seconds using any media would
> be enough for the recruiter to establish a web of trust. Then the
> recruiter as part of filing for access would also sign the GPG key and
> that would establish the web of trust.  Now how much you trust someone
> via GPG is your choice.   For example those that I met in person hold
> higher trust rating then those I did not. 
>
> Now I know people said about time and constraints, travel, etc.
> Scanning your License, School ID (for students), etc is not a big
> deal. As long as it contains a picture is issued by some authority and
> contains a name, should be enough for us to provide the trust in that
> person besides their skills. 
>
> ________________
> Yury German
> Gentoo Security Team | Planet Gentoo
> Email: blueknight@gentoo.org <mailto:blueknight@gentoo.org>
>
> GPG Fingerprint: 8858 89D6 C0C4 75C4 D0DD  FA00 EEAF ED89 024C 043
>
>
Sounds like a relatively practical idea, one that could be trialled, and
the issues worked through ...

[-- Attachment #1.1.2: Type: text/html, Size: 7656 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 1908 bytes --]

On Thu, 5 Jan 2017 17:39:49 -0500
Yury German <blueknight@gentoo.org> wrote:

> I think that we need Authentication of who the people are. Personal
> opinion but a scan or a picture of a legal document (Passport /
> Driving License / Birth Certificate) with the official numbers
> blanked out should be part of the recruitment process

I thought of that myself, but quickly realised that approach doesn't
really add much value.

Mostly because ID's as such are easily faked in a digital medium,
especially as there's no way for somebody on Gentoo staff to know what
to expect from say, a New Zealand Photo ID, and what aspects of those
ID's need to be present for the ID to be considered legitimate.

Especially as some of those elements that exist on physical ID to
prevent fraud don't translate into digital form, like:

- Transparent Sections
- Holographic Foils
- Embedded chips

It would be reasonably straight forward to create a hawaii ID McLovin
style for Bugs, and nobody would be able to verify its authenticity. 

What I think is needed here is some broader platform outside the
context of simply Gentoo, who acts as local providers of digital
authenticity checks.

For example, if there was some organisation unaffiliated with Gentoo
who operated in New Zealand, and that organisation was themselves
reputable, I'd be much better off getting them to physically
authenticate my identity, by physically showing them my Photo ID,
letting them look for the identifying marks that indicate authenticity,
and then providing me with a digital proof of identity by signing my
key for me.

This way Gentoo are not reliant on trusting me not to be good at faking
my ID, but are instead relying on the reputation of the authenticating
agency.

This seems like a very obvious and easy utility to provide, I'm just
surprised I don't know of any such service.




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 2209 bytes --]

On Fri, 6 Jan 2017 19:34:35 +1300
Kent Fredric <kentnl@gentoo.org> wrote:

> On Thu, 5 Jan 2017 17:39:49 -0500
> Yury German <blueknight@gentoo.org> wrote:
> 
> > I think that we need Authentication of who the people are. Personal
> > opinion but a scan or a picture of a legal document (Passport /
> > Driving License / Birth Certificate) with the official numbers
> > blanked out should be part of the recruitment process  
> 
> I thought of that myself, but quickly realised that approach doesn't
> really add much value.
> 
> Mostly because ID's as such are easily faked in a digital medium,
> especially as there's no way for somebody on Gentoo staff to know what
> to expect from say, a New Zealand Photo ID, and what aspects of those
> ID's need to be present for the ID to be considered legitimate.
> 
> Especially as some of those elements that exist on physical ID to
> prevent fraud don't translate into digital form, like:
> 
> - Transparent Sections
> - Holographic Foils
> - Embedded chips
> 
> It would be reasonably straight forward to create a hawaii ID McLovin
> style for Bugs, and nobody would be able to verify its authenticity. 
> 
> What I think is needed here is some broader platform outside the
> context of simply Gentoo, who acts as local providers of digital
> authenticity checks.
> 
> For example, if there was some organisation unaffiliated with Gentoo
> who operated in New Zealand, and that organisation was themselves
> reputable, I'd be much better off getting them to physically
> authenticate my identity, by physically showing them my Photo ID,
> letting them look for the identifying marks that indicate authenticity,
> and then providing me with a digital proof of identity by signing my
> key for me.
> 
> This way Gentoo are not reliant on trusting me not to be good at faking
> my ID, but are instead relying on the reputation of the authenticating
> agency.
> 
> This seems like a very obvious and easy utility to provide, I'm just
> surprised I don't know of any such service.

It's called CA, and you've just switched from WoT to PKI model.

-- 
Best regards,
Michał Górny
<http://dev.gentoo.org/~mgorny/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 886 bytes --]

On Fri, 6 Jan 2017 09:18:59 +0100
Michał Górny <mgorny@gentoo.org> wrote:

> It's called CA, and you've just switched from WoT to PKI model.

I am unware of any CA services that provide proof-of-physical-identity via cryptographic means.

There are plenty of CA's who provide web certificates, but they're reasonably easy to achieve without 
directly observed physical proofs.

And a PKI model is better than nothing if you live in a country where there is literally no
other people in Gentoo infrastructure on your land mass, and there are no other
nodes in physical access distance for less than $150 of travel expenses. 

Meanwhile, I can get a phone book and list dozens of "Justice of the Peace" sorts of authenticating agents
for legal issues such as obtaining photo ID in the first place.

There's just no digital equivalent that I've ever stumbled across.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 715 bytes --]

On 01/06/2017 10:00 AM, Kent Fredric wrote:
> On Fri, 6 Jan 2017 09:18:59 +0100
> Michał Górny <mgorny@gentoo.org> wrote:
> 
>> It's called CA, and you've just switched from WoT to PKI model.

This isn't necessarily true, the WoT model can encompass CAs, and PKI
doesn't necessarily deviate from things much in terms of directionality
(WoT can also be a PKI). However it is often used synonymuously (in
error) with the X.509 Global Root PKIX.

> I am unware of any CA services that provide proof-of-physical-identity via cryptographic means.

CACert?

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

On Fri, 6 Jan 2017 10:14:00 +0100
Kristian Fiskerstrand <k_f@gentoo.org> wrote:

> CACert?

CACerts website really doesn't help me here in any regards here, it
doesn't even suggest they can do anything for me.

It seems completely unlike anything I want.

Though I did manage to discover the term eNotary since, and its
recognised as a thing to an extent in the US

https://en.wikipedia.org/wiki/ENotary

Finding such agents in New Zealand however has proven difficult so far.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Fri, Jan 6, 2017 at 1:34 AM, Kent Fredric <kentnl@gentoo.org> wrote:
>
> This seems like a very obvious and easy utility to provide, I'm just
> surprised I don't know of any such service.
>

As was pointed out, some CAs might offer these kinds of services, but
I don't think any of the standard classes really apply to rigorous
identify verification of individuals (just organizations).

A notary public is probably the more traditional route.  I believe you
can give somebody a template document that basically includes a
statement by a notary that somebody has appeared in person showing
proof of identity for the information contained in the statement.

Of course, that then leaves you with having to verify the authenticity
of the notary seal/etc, and it will tend to involve sending around
physical documents unless you just want a scan (which isn't ideal from
an authentication standpoint).

Forging a notary seal is probably a very big deal in most countries,
so that is probably a deterrence to fraud, and showing a false ID to a
notary public is almost certainly a crime as I believe it is
considered equivalent in many cases to making a statement in court.

For Asia I'm not intimately familiar with the process but I think
there are organizations that will certify the validity of a chop (a
seal used for the same purpose as a western signature), which is also
a form of identity verification.  Somebody else could certainly
elaborate here and dispel any ignorance in that statement.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Yury German]

[-- Attachment #1: Type: text/plain, Size: 2557 bytes --]

OK we can do all of that. 

Would a notary document verifying the person that is Mailed to a party (pick an address and a responsible person), be enough to authenticate the person for the original GPG Web of Trust? In my opinion if lets say I was the one receiving the document that has be signed by a notary public, with a GPG key fingerprint on that form, and a photo verification by the Notary (Legally binding document). Then I would say that they are who they say they are.

Any opinions?

Just an FYI on the cost. In most places a Notary Public is free at the bank (In US), or a cost of $5 or under. Not sure about other countries though. We do not want to make this cost prohibitive.

________________
Yury German
Gentoo Security Team | Planet Gentoo
Email: blueknight@gentoo.org

GPG Fingerprint: 8858 89D6 C0C4 75C4 D0DD  FA00 EEAF ED89 024C 043

> On Jan 6, 2017, at 11:15 AM, Rich Freeman <rich0@gentoo.org> wrote:
> 
> On Fri, Jan 6, 2017 at 1:34 AM, Kent Fredric <kentnl@gentoo.org> wrote:
>> 
>> This seems like a very obvious and easy utility to provide, I'm just
>> surprised I don't know of any such service.
>> 
> 
> As was pointed out, some CAs might offer these kinds of services, but
> I don't think any of the standard classes really apply to rigorous
> identify verification of individuals (just organizations).
> 
> A notary public is probably the more traditional route.  I believe you
> can give somebody a template document that basically includes a
> statement by a notary that somebody has appeared in person showing
> proof of identity for the information contained in the statement.
> 
> Of course, that then leaves you with having to verify the authenticity
> of the notary seal/etc, and it will tend to involve sending around
> physical documents unless you just want a scan (which isn't ideal from
> an authentication standpoint).
> 
> Forging a notary seal is probably a very big deal in most countries,
> so that is probably a deterrence to fraud, and showing a false ID to a
> notary public is almost certainly a crime as I believe it is
> considered equivalent in many cases to making a statement in court.
> 
> For Asia I'm not intimately familiar with the process but I think
> there are organizations that will certify the validity of a chop (a
> seal used for the same purpose as a western signature), which is also
> a form of identity verification.  Somebody else could certainly
> elaborate here and dispel any ignorance in that statement.
> 
> -- 
> Rich
> 


[-- Attachment #2: Type: text/html, Size: 6563 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Mart Raudsepp]

Ühel kenal päeval, R, 06.01.2017 kell 11:30, kirjutas Yury German:
> OK we can do all of that. 
> 
> Would a notary document verifying the person that is Mailed to a
> party (pick an address and a responsible person), be enough to
> authenticate the person for the original GPG Web of Trust? In my
> opinion if lets say I was the one receiving the document that has be
> signed by a notary public, with a GPG key fingerprint on that form,
> and a photo verification by the Notary (Legally binding document).
> Then I would say that they are who they say they are.
> 
> Any opinions?

This is just insane. We already suffer with unwillingness of people to
become a developer with all the process involved. Until these are
resolved, throwing more in is just unacceptable. Period.

> Just an FYI on the cost. In most places a Notary Public is free at
> the bank (In US), or a cost of $5 or under. Not sure about other
> countries though. We do not want to make this cost prohibitive.

The procedure or cost should not exist, or reimbursed with time cost as
well.

But lets not go crazy here with the bureaucracy, Ok?

You don't need to know who I am, you are not getting my copyright
assignment anyways. But you are getting my contributions under an open
source license. Lets have more people willing to do so, not throw in
hurdles.

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 1945 bytes --]

On 2017-01-06 19:39, Mart Raudsepp wrote:
> Ühel kenal päeval, R, 06.01.2017 kell 11:30, kirjutas Yury German:
> > OK we can do all of that. 
> > 
> > Would a notary document verifying the person that is Mailed to a
> > party (pick an address and a responsible person), be enough to
> > authenticate the person for the original GPG Web of Trust? In my
> > opinion if lets say I was the one receiving the document that has be
> > signed by a notary public, with a GPG key fingerprint on that form,
> > and a photo verification by the Notary (Legally binding document).
> > Then I would say that they are who they say they are.
> > 
> > Any opinions?
> 
> This is just insane. We already suffer with unwillingness of people to
> become a developer with all the process involved. Until these are
> resolved, throwing more in is just unacceptable. Period.

Insane is a bit far, but it would be an unreasonable requirement to
become a Gentoo Developer.

Further, I’ve never seen any key signing policy that allowed
identification via notary. They’ve never specifically forbade it, but
they’ve explicitly stated that the verification must take place in
person.

> > Just an FYI on the cost. In most places a Notary Public is free at
> > the bank (In US), or a cost of $5 or under. Not sure about other
> > countries though. We do not want to make this cost prohibitive.
> 
> The procedure or cost should not exist, or reimbursed with time cost as
> well.
> 
> But lets not go crazy here with the bureaucracy, Ok?
> 
> You don't need to know who I am, you are not getting my copyright
> assignment anyways. But you are getting my contributions under an open
> source license. Lets have more people willing to do so, not throw in
> hurdles.
> 

Well, we should sort of know who you are. But, I think
contributions are identification enough. We are more concerned about
character, after all…right?

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 343 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Fri, Jan 6, 2017 at 12:39 PM, Mart Raudsepp <leio@gentoo.org> wrote:
> Ühel kenal päeval, R, 06.01.2017 kell 11:30, kirjutas Yury German:
>> OK we can do all of that.
>>
>> Would a notary document verifying the person that is Mailed to a
>> party (pick an address and a responsible person), be enough to
>> authenticate the person for the original GPG Web of Trust? In my
>> opinion if lets say I was the one receiving the document that has be
>> signed by a notary public, with a GPG key fingerprint on that form,
>> and a photo verification by the Notary (Legally binding document).
>> Then I would say that they are who they say they are.
>>
>> Any opinions?
>
> This is just insane. We already suffer with unwillingness of people to
> become a developer with all the process involved. Until these are
> resolved, throwing more in is just unacceptable. Period.
>

Note that my questions RE notarys were intended to indicate what
is/isn't possible, not to suggest that we should require this.  This
is just a discussion.

I do agree with the overall sentiment that we need to keep things
light if we want more contributors, which has historically been a
bigger problem than people falsifying their identities.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Mart Raudsepp]

Ühel kenal päeval, R, 06.01.2017 kell 13:17, kirjutas Rich Freeman:
> On Fri, Jan 6, 2017 at 12:39 PM, Mart Raudsepp <leio@gentoo.org>
> wrote:
> > 
> > Ühel kenal päeval, R, 06.01.2017 kell 11:30, kirjutas Yury German:
> > > 
> > > OK we can do all of that.
> > > 
> > > Would a notary document verifying the person that is Mailed to a
> > > party (pick an address and a responsible person), be enough to
> > > authenticate the person for the original GPG Web of Trust? In my
> > > opinion if lets say I was the one receiving the document that has
> > > be
> > > signed by a notary public, with a GPG key fingerprint on that
> > > form,
> > > and a photo verification by the Notary (Legally binding
> > > document).
> > > Then I would say that they are who they say they are.
> > > 
> > > Any opinions?
> > 
> > This is just insane. We already suffer with unwillingness of people
> > to
> > become a developer with all the process involved. Until these are
> > resolved, throwing more in is just unacceptable. Period.
> > 
> 
> Note that my questions RE notarys were intended to indicate what
> is/isn't possible, not to suggest that we should require this.  This
> is just a discussion.

Lets say I was trying to shut down the serious ponderings towards it,
before it continues to implementation :D

> I do agree with the overall sentiment that we need to keep things
> light if we want more contributors, which has historically been a
> bigger problem than people falsifying their identities.

Yeah, and I'm saying none of this extra burden makes sense indeed.
I can fully encourage building such a web of trust, i.e, if you happen
to meet another dev, please do sign eachothers keys over beer, proving
you did so. Hopefully over good beer or beverage of choice.

Don't make it any sort of requirement for joining the ranks of a full
developer with push access. We have enough hurdles. We are not
assigning copyrights away to some foundation, there is no legal
verification towards a person needed right now, that I'm aware of. If
there are serious copyright related issues that can't be resolved, we
get to remove work contributed by the person either way.

We do want to know the how they work together with others and so on,
which the current processes seems to work mostly fine for, as these
kind of problems seem to be evident in long time members only right
now.

This also answers titanofold - I meant you don't need to know who I am
with legal certainty wrt my real name and whatnot; I didn't mean you
don't need to know my character and whatnot. This is tied to my IRC and
dev accounts.

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 1995 bytes --]

On Friday, January 6, 2017 7:39:54 PM EST Mart Raudsepp wrote:
>
> This is just insane. We already suffer with unwillingness of people to
> become a developer with all the process involved. Until these are
> resolved, throwing more in is just unacceptable. Period.

I fully agree the process needs to be simplified to get people on board faster 
with less of a hurdle.
 
> But lets not go crazy here with the bureaucracy, Ok?

IMHO this has been Gentoo's biggest problem. No one wants to be part of the 
Foundation, yet the bureaucracy seems to increase. While developer numbers are 
not really. It does not make sense.

Aspects need to be merged, whittled down till projects are fully staffed. Then 
and only then, with new developers, should new projects be created and adding 
bureaucracy, as needed. To much focus on utopian concepts rather than getting 
stuff done today!

> You don't need to know who I am, you are not getting my copyright
> assignment anyways. But you are getting my contributions under an open
> source license. Lets have more people willing to do so, not throw in
> hurdles.

I 100% agree. Who cares who I am? Does it even matter? My work is open source. 
Let the work speak for itself. If someone chooses to remain anonymous, they 
just hurt themselves career and resume wise. If they do not care to get credit 
for their work. Then it does not matter if they are identified or not.

If Gentoo, the Foundation takes any and all liability from any contributor or 
developer. Which it likely does now, but could have a legal indemnity clause 
to further clarify such. Then it does not matter who does what really. Gentoo 
is responsible no matter what, if the person is known or not.

Having people identified I am not sure matters much unless we are talking about 
closed source stuff. Maybe things like infra need to be known, surely 
Trustees. But the average developer or staff member not really.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Fri, Jan 6, 2017 at 3:38 PM, William L. Thomson Jr.
<wlt-ml@o-sinc.com> wrote:
>
> Aspects need to be merged, whittled down till projects are fully staffed. Then
> and only then, with new developers, should new projects be created and adding
> bureaucracy, as needed. To much focus on utopian concepts rather than getting
> stuff done today!
>

This sounds a bit like "the beatings shall continue until morale
improves."  I've yet to see a case when telling somebody that they're
not allowed to work on something that interests them results in
"getting stuff done" when there isn't a paycheck involved (and often
even when there is).

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]

On Friday, January 6, 2017 4:01:31 PM EST Rich Freeman wrote:
> On Fri, Jan 6, 2017 at 3:38 PM, William L. Thomson Jr.
> 
> <wlt-ml@o-sinc.com> wrote:
> > Aspects need to be merged, whittled down till projects are fully staffed.
> > Then and only then, with new developers, should new projects be created
> > and adding bureaucracy, as needed. To much focus on utopian concepts
> > rather than getting stuff done today!
> 
> This sounds a bit like "the beatings shall continue until morale
> improves."  I've yet to see a case when telling somebody that they're
> not allowed to work on something that interests them results in
> "getting stuff done" when there isn't a paycheck involved (and often
> even when there is).

Taken the wrong way. I am not saying people cannot work on anything. I am 
simply saying, reduce projects, reduce bureaucracy to bare minimums that make 
sense and are needed. Then add back projects and bureaucracy as needed.

To much is being over engineered, over discussed, over thought, that is not 
leading to more getting done. Nor is it attracting more, not really beneficial.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Fri, Jan 6, 2017 at 4:08 PM, William L. Thomson Jr.
<wlt-ml@o-sinc.com> wrote:
>
> Taken the wrong way. I am not saying people cannot work on anything. I am
> simply saying, reduce projects, reduce bureaucracy to bare minimums that make
> sense and are needed. Then add back projects and bureaucracy as needed.
>
> To much is being over engineered, over discussed, over thought, that is not
> leading to more getting done. Nor is it attracting more, not really beneficial.
>

There is very little in Gentoo that needs the approval of anybody, let
alone a project.

It is good to post proposed changes on the lists.

The problem is that people propose a change, get feedback, and if that
feedback isn't 100% in-favor of the change they just stop.

There is no rule that says that people need 100% agreement to do
anything.  You just need to do it.  Now, if QA raises a serious
objection that is an issue, but that is pretty rare.  If somebody does
strongly object they can escalate to a project or council, but the
burden is on the person who wants to stop the work, not the person who
wants to do it.  Typically these escalations are resolved quickly.

Of course it makes sense to get more agreement around really big
changes, but nothing is going to change that.

If people think that there is overdiscussion it is only because they
haven't stopped replying to the threads.  You don't have to keep
arguing until you "win."  Just do whatever it is that you want to do,
as long as it isn't contrary to some policy (and there aren't all that
many of those).

If somebody has a specific example of this issue that they want to
bring up I'm all ears, but at the next council meeting nobody
suggested even a single agenda item.  Clearly there isn't a lot of
bureaucracy holding things up.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 2210 bytes --]

On Friday, January 6, 2017 4:16:28 PM EST Rich Freeman wrote:
>
> If people think that there is overdiscussion it is only because they
> haven't stopped replying to the threads.  

Well some like this thread it itself is not addressing the real issue in 
getting more to join. Just adding more criteria for anyone who does. With lots 
of discussion. This thread is a perfect example of over engineering and not 
addressing the real problem. Just creating more work.

There isn't a real need for OpenGPG signatures on applications, WoT, etc. 
There is a need for more developers, man power.

I have to believe if everyone made the same effort in sharing opinions to 
recruit others, Gentoo would have lots of developers.

> You don't have to keep
> arguing until you "win."  Just do whatever it is that you want to do,
> as long as it isn't contrary to some policy (and there aren't all that
> many of those).

I am not even talking about winning or arguments. I do not take this thread as 
an argument or win. It is a discussion to potentially add further hurdles to 
something that already has many.

> If somebody has a specific example of this issue that they want to
> bring up I'm all ears, but at the next council meeting nobody
> suggested even a single agenda item. 

That does not surprise me at all. Why the council relies on others to set the 
agenda I question. Agenda items from developers and community should be 
supplemental. The council should be setting various agenda items for Gentoo's 
future.

But lack of agenda items, lack of interest, lack of people flocking to Gentoo. 
Thus stuff is all related. It is why I feel the problems are much bigger than 
Java and myself. Gentoo is on the ropes in a sense. Crucial time to revive and 
regain momentum and interest. Or just seal its fate to being a niche distro 
that was a fad and most have moved on.

I think Gentoo is more than a fad, and has a crucial role to play in FOSS.

> Clearly there isn't a lot of bureaucracy holding things up.

When it comes to recruiting there is quite allot. I do not think anyone will 
say the recruitment process is expeditious.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 381 bytes --]

On 01/06/2017 10:49 PM, William L. Thomson Jr. wrote:
> When it comes to recruiting there is quite allot. I do not think anyone will 
> say the recruitment process is expeditious.

I can say so, becoming a dev is rather easy :)

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 1532 bytes --]

On Friday, January 6, 2017 11:22:28 PM EST Kristian Fiskerstrand wrote:
> On 01/06/2017 10:49 PM, William L. Thomson Jr. wrote:
> > When it comes to recruiting there is quite allot. I do not think anyone
> > will say the recruitment process is expeditious.
> 
> I can say so, becoming a dev is rather easy :)

Many would agree, but I would assume most have gone through the process of 
becoming a Gentoo developer once maybe twice. I have had the privilege of this 
experience at least 4 or 5 times, including when I first became a developer in 
2006.

I am not sure anyone has attempted to return as many times as I have. I am not 
sure anyone has gone through the recruitment process as many times as I have.
Which makes me pretty experienced from the outsider perspective of trying to 
complete the process and all potential issues you can encounter. Others who do 
it once have a very different experience, as did I in 2006.

The experience and people varied for each attempt over the years. I saw the 
process decline from 06 till my last attempt in 2015. None were as efficient as 
2006, drama or past aside. I voiced opposition and suggestions to improvement 
over the years to different people. While the people have changed, the process 
has not improved and most issues still remain.

This is not reflecting on any one person in recruiting currently. Just how 
things have gone down over the years. I do not blame any one, I blame the 
process more than anything.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 444 bytes --]

On 06/01/17 22:22, Kristian Fiskerstrand wrote:
> On 01/06/2017 10:49 PM, William L. Thomson Jr. wrote:
>> When it comes to recruiting there is quite allot. I do not think anyone will 
>> say the recruitment process is expeditious.
> I can say so, becoming a dev is rather easy :)
>
I respectfully disagree .. and having seen enough potential candidates
dismissed or rescinded their applications, I have evidence to the
contrary ...


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Fri, Jan 6, 2017 at 10:27 PM, M. J. Everitt <m.j.everitt@iee.org> wrote:
> On 06/01/17 22:22, Kristian Fiskerstrand wrote:
>> On 01/06/2017 10:49 PM, William L. Thomson Jr. wrote:
>>> When it comes to recruiting there is quite allot. I do not think anyone will
>>> say the recruitment process is expeditious.
>> I can say so, becoming a dev is rather easy :)
>>
> I respectfully disagree .. and having seen enough potential candidates
> dismissed or rescinded their applications, I have evidence to the
> contrary ...
>

Well, applicants who are dismissed have just met one of the two
possible outcomes of the process.  That isn't really a failure of the
process.  That is assuming I understand what you meant by "dismissed."

Now, applicants who give up is potentially a different matter.  I'm
not sure how much of that is just general backlog vs a form of
selection.  I don't know what the current process is but my sense at
least in the past was that recruiters didn't necessarily interview
candidates in the order they applied but rather prioritized those they
considered most likely to be accepted, so if there was any backlog
somebody could wait a long time to get into the process if they
weren't considered a strong candidate.  While the prioritization
probably makes sense it would be ideal to at least get them through
the process even if it just results in them being dismissed at the
end.  Obviously there isn't a lot of value in doing that vs processing
another more recent candidate who actually gets accepted.  The only
way to prevent people from waiting forever would be to increase the
number of recruiters, and that obviously requires people to volunteer.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 2180 bytes --]

On 07/01/17 04:08, Rich Freeman wrote:
> On Fri, Jan 6, 2017 at 10:27 PM, M. J. Everitt <m.j.everitt@iee.org> wrote:
>> On 06/01/17 22:22, Kristian Fiskerstrand wrote:
>>> On 01/06/2017 10:49 PM, William L. Thomson Jr. wrote:
>>>> When it comes to recruiting there is quite allot. I do not think anyone will
>>>> say the recruitment process is expeditious.
>>> I can say so, becoming a dev is rather easy :)
>>>
>> I respectfully disagree .. and having seen enough potential candidates
>> dismissed or rescinded their applications, I have evidence to the
>> contrary ...
>>
> Well, applicants who are dismissed have just met one of the two
> possible outcomes of the process.  That isn't really a failure of the
> process.  That is assuming I understand what you meant by "dismissed."
>
> Now, applicants who give up is potentially a different matter.  I'm
> not sure how much of that is just general backlog vs a form of
> selection.  I don't know what the current process is but my sense at
> least in the past was that recruiters didn't necessarily interview
> candidates in the order they applied but rather prioritized those they
> considered most likely to be accepted, so if there was any backlog
> somebody could wait a long time to get into the process if they
> weren't considered a strong candidate.  While the prioritization
> probably makes sense it would be ideal to at least get them through
> the process even if it just results in them being dismissed at the
> end.  Obviously there isn't a lot of value in doing that vs processing
> another more recent candidate who actually gets accepted.  The only
> way to prevent people from waiting forever would be to increase the
> number of recruiters, and that obviously requires people to volunteer.
>
Being quite careful not to point any fingers here, but:

https://bugs.gentoo.org/buglist.cgi?cmdtype=dorem&list_id=3401330&namedcmd=New%20devs%20-hmm&remaction=run

Ok, so there are a few rogues in there, but a half-dozen who could be
contributing (more) regularly to Gentoo if the process was a bit
smoother and smarter .. imho ...

[with apologies if Bugzie is playin up]


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]

On Fri, 06 Jan 2017 16:49:35 -0500
"William L. Thomson Jr." <wlt-ml@o-sinc.com> wrote:

> Well some like this thread it itself is not addressing the real issue
> in getting more to join. Just adding more criteria for anyone who
> does. With lots of discussion. This thread is a perfect example of
> over engineering and not addressing the real problem. Just creating
> more work.
> 
> There isn't a real need for OpenGPG signatures on applications, WoT,
> etc. There is a need for more developers, man power.

At this point I wasn't even agreeing that we should add this threshold.

More, the intellectual curiosity how we could improve the cryptographic
reliability of Gentoo in realistic terms via trust webs is a discussion
in itself.

The main point of this thread was to attempt to create this web of
trust by forcing new users be signed.

But the overall objective is not to deter contributors, but to improve
the WoT by realistic means.

So exploring the mechanisms by which we achieve the WoT independently
of whether or not we make it a barrier to entry I think is the thing to
focus on.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Fri, Jan 6, 2017 at 5:48 PM, Kent Fredric <kentnl@gentoo.org> wrote:
>
> More, the intellectual curiosity how we could improve the cryptographic
> reliability of Gentoo in realistic terms via trust webs is a discussion
> in itself.
>
> The main point of this thread was to attempt to create this web of
> trust by forcing new users be signed.
>
> But the overall objective is not to deter contributors, but to improve
> the WoT by realistic means.
>
> So exploring the mechanisms by which we achieve the WoT independently
> of whether or not we make it a barrier to entry I think is the thing to
> focus on.

So, I was chatting with k_f about this on the side, but I think
something you should look at is creating a voluntary framework to
encourage this.  Nobody is going to object to that, and it lets you
get a sense of what it takes.  If it works really well then maybe
there would be interest in making it mandatory, and if nobody likes it
then probably not.  Either way though it probably will capture a lot
of the value without becoming a barrier to anybody.

This isn't unlike where we ended up in discussions around copyright
assignment.  For all of its benefits it also causes some sticky
issues, and you can probably get 80% of the benefit on a voluntary
basis, so that is the direction we've been moving in.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 1546 bytes --]

On 06/01/17 23:01, Rich Freeman wrote:
> On Fri, Jan 6, 2017 at 5:48 PM, Kent Fredric <kentnl@gentoo.org> wrote:
>> More, the intellectual curiosity how we could improve the cryptographic
>> reliability of Gentoo in realistic terms via trust webs is a discussion
>> in itself.
>>
>> The main point of this thread was to attempt to create this web of
>> trust by forcing new users be signed.
>>
>> But the overall objective is not to deter contributors, but to improve
>> the WoT by realistic means.
>>
>> So exploring the mechanisms by which we achieve the WoT independently
>> of whether or not we make it a barrier to entry I think is the thing to
>> focus on.
> So, I was chatting with k_f about this on the side, but I think
> something you should look at is creating a voluntary framework to
> encourage this.  Nobody is going to object to that, and it lets you
> get a sense of what it takes.  If it works really well then maybe
> there would be interest in making it mandatory, and if nobody likes it
> then probably not.  Either way though it probably will capture a lot
> of the value without becoming a barrier to anybody.
>
> This isn't unlike where we ended up in discussions around copyright
> assignment.  For all of its benefits it also causes some sticky
> issues, and you can probably get 80% of the benefit on a voluntary
> basis, so that is the direction we've been moving in.
>
+1 try it out .. see what breaks .. look at the viability, work through
some issues, assess the pro's and con's ...


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 596 bytes --]

On Saturday, January 7, 2017 11:48:54 AM EST Kent Fredric wrote:
>
> The main point of this thread was to attempt to create this web of
> trust by forcing new users be signed.
> 
> But the overall objective is not to deter contributors, but to improve
> the WoT by realistic means.

I am all for WoT and GPG signing, as I first did this via Gentoo at LWE and is 
good for others. I need to see about doing it more at my LUG and so should 
others with anyone they can, Gentoo or not.

Just not sure about forcing people to sign, but optionally is good.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[nado]

January 6, 2017 11:49 PM, "Kent Fredric" <kentnl@gentoo.org> wrote:

> More, the intellectual curiosity how we could improve the cryptographic
> reliability of Gentoo in realistic terms via trust webs is a discussion
> in itself.
> 
> The main point of this thread was to attempt to create this web of
> trust by forcing new users be signed.

I don’t believe that forcing people to be signed is feasible and thus should not. It is however possible to organize GPG signing party at various conferences around the world, even by simply meeting people without any conference, you just need to be there and have whatever device to sign each other key.

When the practice will be done enough and the gentoo WoT have grown a bit, I think only a that time we may discuss about the feasibility of forcing new dev to be signed.

--
Corentin “Nado” Pazdera

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Daniel Campbell]

[-- Attachment #1.1: Type: text/plain, Size: 1900 bytes --]

On 01/06/2017 01:49 PM, William L. Thomson Jr. wrote:
> There isn't a real need for OpenGPG signatures on applications

I disagree. Becoming a Gentoo developer gives you a key to a clubhouse,
so to speak. We need to be sure that we're trusting exactly one person
(in this case, a GPG/SSH key) and granting them access. It keeps
Gentoo's Web of Trust a little better managed, as it limits vulnerability.

That said: sure, there's nothing stopping a group from using a single
key, but they'd have to be incredibly well-coordinated and agree on
practically all of their communications, commit messages, etc. The
likelihood that producing a single GPG key and single SSH key is a large
barrier to Gentoo entry is low, especially considering we're entrusting
them to be ideologically and technically savvy. If they can't leap the
minor hurdle of producing the keys necessary to access the servers, can
they be trusted to write decent ebuilds, manage infra, or understand
enough about Gentoo to hold a vote-bearing position?

In the grand scheme of things, producing a key and asking for one to get
access isn't a big deal. Any issues with bureaucracy and recruitment is
definitely elsewhere; GPG/SSH is the easiest part.

This verification process that some have thrown around is a plus, but
not something I'd consider required unless we approve specific methods
of verification and it's not unreasonable. (For example, having a quick
video conversation and sharing the contents of their keys live, etc)

There are still pitfalls with that, too, however, because some of us may
not have constant home connections or very much bandwidth (think
dial-up). It's for that reason I'm okay with keys but against forced
verification.
-- 
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1262 bytes --]

On Fri, 6 Jan 2017 11:15:17 -0500
Rich Freeman <rich0@gentoo.org> wrote:

> On Fri, Jan 6, 2017 at 1:34 AM, Kent Fredric <kentnl@gentoo.org> wrote:
> >
> > This seems like a very obvious and easy utility to provide, I'm just
> > surprised I don't know of any such service.
> >  
> 
> As was pointed out, some CAs might offer these kinds of services, but
> I don't think any of the standard classes really apply to rigorous
> identify verification of individuals (just organizations).
> 
> A notary public is probably the more traditional route.  I believe you
> can give somebody a template document that basically includes a
> statement by a notary that somebody has appeared in person showing
> proof of identity for the information contained in the statement.
> 
> Of course, that then leaves you with having to verify the authenticity
> of the notary seal/etc, and it will tend to involve sending around
> physical documents unless you just want a scan (which isn't ideal from
> an authentication standpoint).

Wasn't it the notary route that caused CAcert never to be widely
accepted as a CA? I think they removed that when they started
the auditing process.

-- 
Best regards,
Michał Górny
<http://dev.gentoo.org/~mgorny/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 764 bytes --]

On 01/05/2017 11:28 PM, Raymond Jennings wrote:
> That said, how do we make sure that new developers don't get screwed out of
> devship by politics?  Can we make sure that someone isn't going to refuse a
> GPG endorsement based on, say..."I know who you are and I believe you are
> who you say you are, but I don't like you/think you stink as a
> developer/whatever else so I'm not going to endorse you anyway"?

Arguably, from this point of view, you would consider the signature an
endorsement from existing developers. If they don't believe it is a good
fit for the community, is it really a bad thing?

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Raymond Jennings]

[-- Attachment #1: Type: text/plain, Size: 1086 bytes --]

It is, if that decision is being made by a random developer being asked for
an endorsement and not a recruiter.

That is why I wanted to emphasize that if we DO use GPG endorsements, we
bear in mind the practical realities.

On Thu, Jan 5, 2017 at 2:40 PM, Kristian Fiskerstrand <k_f@gentoo.org>
wrote:

> On 01/05/2017 11:28 PM, Raymond Jennings wrote:
> > That said, how do we make sure that new developers don't get screwed out
> of
> > devship by politics?  Can we make sure that someone isn't going to
> refuse a
> > GPG endorsement based on, say..."I know who you are and I believe you are
> > who you say you are, but I don't like you/think you stink as a
> > developer/whatever else so I'm not going to endorse you anyway"?
>
> Arguably, from this point of view, you would consider the signature an
> endorsement from existing developers. If they don't believe it is a good
> fit for the community, is it really a bad thing?
>
> --
> Kristian Fiskerstrand
> OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
>
>

[-- Attachment #2: Type: text/html, Size: 1638 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 472 bytes --]

On 01/05/2017 11:44 PM, Raymond Jennings wrote:
> It is, if that decision is being made by a random developer being asked for
> an endorsement and not a recruiter.
> 
> That is why I wanted to emphasize that if we DO use GPG endorsements, we
> bear in mind the practical realities.

top-posting isn't a good start


-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Thu, Jan 5, 2017 at 5:28 PM, Raymond Jennings <shentino@gmail.com> wrote:
>
> That said, how do we make sure that new developers don't get screwed out of
> devship by politics?  Can we make sure that someone isn't going to refuse a
> GPG endorsement based on, say..."I know who you are and I believe you are
> who you say you are, but I don't like you/think you stink as a
> developer/whatever else so I'm not going to endorse you anyway"?

Well, if they only need two signatures and they can come from anybody,
then you'd need to tick off an AWFUL lot of people for this to become
a problem.  If you actually managed to do that, somehow I suspect the
recruiters are going to give you a hard time.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Raymond Jennings]

[-- Attachment #1: Type: text/plain, Size: 1519 bytes --]

On Thu, Jan 5, 2017 at 2:50 PM, Rich Freeman <rich0@gentoo.org> wrote:

> On Thu, Jan 5, 2017 at 5:28 PM, Raymond Jennings <shentino@gmail.com>
> wrote:
> >
> > That said, how do we make sure that new developers don't get screwed out
> of
> > devship by politics?  Can we make sure that someone isn't going to
> refuse a
> > GPG endorsement based on, say..."I know who you are and I believe you are
> > who you say you are, but I don't like you/think you stink as a
> > developer/whatever else so I'm not going to endorse you anyway"?
>
> Well, if they only need two signatures and they can come from anybody,
> then you'd need to tick off an AWFUL lot of people for this to become
> a problem.  If you actually managed to do that, somehow I suspect the
> recruiters are going to give you a hard time.
>
> --
> Rich
>
> Are we assuming that GPG signatures can only be obtained from developers
that know you personally?

Gentoo is a globally active distro with contributors from across the world.

Getting a face to face meeting with another developer is hard enough as it
is.

Add to this that we're socially inept geeks and probably don't have many
connections anyway, and you have the logical conclusion that a prospective
dev is NOT going to have an easy time actually getting endorsements.

Who can give you an endorsement anyway?

Answer this, and then you'll know whether or not the pool of potential
endorsers is going to be too small for it to become anything but a needless
bottleneck to becoming a developer.

[-- Attachment #2: Type: text/html, Size: 2423 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 595 bytes --]

On 01/06/2017 12:00 AM, Raymond Jennings wrote:
> Answer this, and then you'll know whether or not the pool of potential
> endorsers is going to be too small for it to become anything but a needless
> bottleneck to becoming a developer.

I don't agree it being a needless bottleneck. Having a relationship with
the community has a benefit in itself. If they don't appreciate a
singular individual, that consideration has value on its own.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Raymond Jennings]

[-- Attachment #1: Type: text/plain, Size: 809 bytes --]

On Thu, Jan 5, 2017 at 3:09 PM, Kristian Fiskerstrand <k_f@gentoo.org>
wrote:

> On 01/06/2017 12:00 AM, Raymond Jennings wrote:
> > Answer this, and then you'll know whether or not the pool of potential
> > endorsers is going to be too small for it to become anything but a
> needless
> > bottleneck to becoming a developer.
>
> I don't agree it being a needless bottleneck. Having a relationship with
> the community has a benefit in itself. If they don't appreciate a
> singular individual, that consideration has value on its own.
>
> --
> Kristian Fiskerstrand
> OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
>
>
Then I would like to ask, how easy is it for a new developer to get in
touch with another developer who can endorse him?

[-- Attachment #2: Type: text/html, Size: 1371 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Thu, Jan 5, 2017 at 6:00 PM, Raymond Jennings <shentino@gmail.com> wrote:
> Are we assuming that GPG signatures can only be obtained from developers
> that know you personally?
>

Well, that was my original concern.  If you need to know them
personally then a LOT of developers are going to struggle to meet two
in person no matter how nicely they get along.

If a quick video chat is sufficient then it is a PITA, but probably
not an insurmountable burden.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Raymond Jennings]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

On Thu, Jan 5, 2017 at 3:44 PM, Rich Freeman <rich0@gentoo.org> wrote:

> On Thu, Jan 5, 2017 at 6:00 PM, Raymond Jennings <shentino@gmail.com>
> wrote:
> > Are we assuming that GPG signatures can only be obtained from developers
> > that know you personally?
> >
>
> Well, that was my original concern.  If you need to know them
> personally then a LOT of developers are going to struggle to meet two
> in person no matter how nicely they get along.
>

That is my point.

Not everyone has access to video chat either.  Not all of us have webcams.

>
> If a quick video chat is sufficient then it is a PITA, but probably
> not an insurmountable burden.
>
> --
> Rich
>
>

[-- Attachment #2: Type: text/html, Size: 1303 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1704 bytes --]

On Wed, 4 Jan 2017 18:58:26 +0100
Kristian Fiskerstrand <k_f@gentoo.org> wrote:

> With increasing focus on security in various contexts I'd like to
> propose that we start discussing catching up with other distributions
> and start requiring new developers' OpenPGP keyblocks to have at least
> two signatures from existing developers before applications can be
> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
> 
> 
> E.g [Debian] has the following requirement: "To maintain the strong Web
> of Trust that connects all Debian Developers, Applicants need to
> identify themselves by providing an OpenPGP key that is signed by at
> least two official Developers. To further ensure their identity,
> signatures by other people (who do not need to be DDs, but should be
> well connected in the overall Web of Trust) are strongly recommended."

Isn't barrier of entry to Gentoo high enough already? I know many
people refusing to join because they consider quizzes
and the recruitment procedure to be too cumbersome and a waste of time.
I can imagine requiring people to actually travel and make appointments
with other Gentoo developers will only make things worse.

Considering that so far I haven't met any Gentoo developers. In fact, I
barely met a few people who have any clue of (Open)PGP at all. If I was
required to get signatures from two Gentoo developers, I certainly
would not have joined.

Maybe if I were unemployed and the Foundation was willing to reimburse
travel costs... but right now, I can't really imagine finding time to
go and collect Gentoo Pokémon.

-- 
Best regards,
Michał Górny
<http://dev.gentoo.org/~mgorny/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 2584 bytes --]

On 01/04/2017 08:12 PM, Michał Górny wrote:
> On Wed, 4 Jan 2017 18:58:26 +0100
> Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> 
>> With increasing focus on security in various contexts I'd like to
>> propose that we start discussing catching up with other distributions
>> and start requiring new developers' OpenPGP keyblocks to have at least
>> two signatures from existing developers before applications can be
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
>>
>>
>> E.g [Debian] has the following requirement: "To maintain the strong Web
>> of Trust that connects all Debian Developers, Applicants need to
>> identify themselves by providing an OpenPGP key that is signed by at
>> least two official Developers. To further ensure their identity,
>> signatures by other people (who do not need to be DDs, but should be
>> well connected in the overall Web of Trust) are strongly recommended."
> 
> Isn't barrier of entry to Gentoo high enough already? I know many
> people refusing to join because they consider quizzes
> and the recruitment procedure to be too cumbersome and a waste of time.

No, I don't feel that this is conflicting, on some level it comes down
to a matter of more than technical skills, in this particular context
also establishing trust, both in terms of security and in the long term
responsibilities of both having commit access in general and maintaining
the packages picked up for maintenance.

> I can imagine requiring people to actually travel and make appointments
> with other Gentoo developers will only make things worse.

Most signatures can likely be exchanged at local LUGs, in particular if
we increase presentation activity in order to be more visible. As an
example the Norwegian Unix User's Group is sponsoring flying in a Gentoo
developer this year to present here in Oslo.

> 
> Considering that so far I haven't met any Gentoo developers. In fact, I
> barely met a few people who have any clue of (Open)PGP at all. If I was

Might be time for me for a trip to Poland :)

> required to get signatures from two Gentoo developers, I certainly
> would not have joined.

The discussion of this is interesting, and on some level it comes down
to Gentoo developers being more visible in their local communities to
offer such opportunities as well as meeting up with other Gentoo
developers in various contexts.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1902 bytes --]

On Wed, 4 Jan 2017 21:47:34 +0100
Kristian Fiskerstrand <k_f@gentoo.org> wrote:

> On 01/04/2017 08:12 PM, Michał Górny wrote:
> > On Wed, 4 Jan 2017 18:58:26 +0100
> > Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> >   
> >> With increasing focus on security in various contexts I'd like to
> >> propose that we start discussing catching up with other distributions
> >> and start requiring new developers' OpenPGP keyblocks to have at least
> >> two signatures from existing developers before applications can be
> >> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
> >>
> >>
> >> E.g [Debian] has the following requirement: "To maintain the strong Web
> >> of Trust that connects all Debian Developers, Applicants need to
> >> identify themselves by providing an OpenPGP key that is signed by at
> >> least two official Developers. To further ensure their identity,
> >> signatures by other people (who do not need to be DDs, but should be
> >> well connected in the overall Web of Trust) are strongly recommended."  
> > 
> > Isn't barrier of entry to Gentoo high enough already? I know many
> > people refusing to join because they consider quizzes
> > and the recruitment procedure to be too cumbersome and a waste of time.  
> 
> No, I don't feel that this is conflicting, on some level it comes down
> to a matter of more than technical skills, in this particular context
> also establishing trust, both in terms of security and in the long term
> responsibilities of both having commit access in general and maintaining
> the packages picked up for maintenance.

Are you assuming that having a verified proof of identity (well, more
of the name since I suppose you won't be recording all his data) of
a developer would prevent him from abusing his account?

-- 
Best regards,
Michał Górny
<http://dev.gentoo.org/~mgorny/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 998 bytes --]

On 01/04/2017 10:17 PM, Michał Górny wrote:
>>> Isn't barrier of entry to Gentoo high enough already? I know many
>>> people refusing to join because they consider quizzes
>>> and the recruitment procedure to be too cumbersome and a waste of time.  
>> No, I don't feel that this is conflicting, on some level it comes down
>> to a matter of more than technical skills, in this particular context
>> also establishing trust, both in terms of security and in the long term
>> responsibilities of both having commit access in general and maintaining
>> the packages picked up for maintenance.
> Are you assuming that having a verified proof of identity (well, more
> of the name since I suppose you won't be recording all his data) of
> a developer would prevent him from abusing his account?

I would certainly consider it less likely

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Wed, Jan 4, 2017 at 4:27 PM, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> On 01/04/2017 10:17 PM, Michał Górny wrote:
>>>> Isn't barrier of entry to Gentoo high enough already? I know many
>>>> people refusing to join because they consider quizzes
>>>> and the recruitment procedure to be too cumbersome and a waste of time.
>>> No, I don't feel that this is conflicting, on some level it comes down
>>> to a matter of more than technical skills, in this particular context
>>> also establishing trust, both in terms of security and in the long term
>>> responsibilities of both having commit access in general and maintaining
>>> the packages picked up for maintenance.
>> Are you assuming that having a verified proof of identity (well, more
>> of the name since I suppose you won't be recording all his data) of
>> a developer would prevent him from abusing his account?
>
> I would certainly consider it less likely
>

I would tend to agree.  Your real-world identity is tied to your
ability to earn a living, so you have an incentive to protect its
reputation.

And, in the event of abuse having to forge a government ID would be a
considerable barrier to re-applying, and it would likely increase the
stakes if you're caught doing it (since real-world governments tend to
look unkindly on the forgery of such things).

I don't question the usefulness of verifying identity, just the practicality.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 376 bytes --]

On 01/04/2017 10:34 PM, Rich Freeman wrote:

> I don't question the usefulness of verifying identity, just the practicality.
> 

The practicality we can do something about as a community, though, by
increasing awareness.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1528 bytes --]

On Wed, 4 Jan 2017 16:34:15 -0500
Rich Freeman <rich0@gentoo.org> wrote:

> On Wed, Jan 4, 2017 at 4:27 PM, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> > On 01/04/2017 10:17 PM, Michał Górny wrote:  
> >>>> Isn't barrier of entry to Gentoo high enough already? I know many
> >>>> people refusing to join because they consider quizzes
> >>>> and the recruitment procedure to be too cumbersome and a waste of time.  
> >>> No, I don't feel that this is conflicting, on some level it comes down
> >>> to a matter of more than technical skills, in this particular context
> >>> also establishing trust, both in terms of security and in the long term
> >>> responsibilities of both having commit access in general and maintaining
> >>> the packages picked up for maintenance.  
> >> Are you assuming that having a verified proof of identity (well, more
> >> of the name since I suppose you won't be recording all his data) of
> >> a developer would prevent him from abusing his account?  
> >
> > I would certainly consider it less likely
> >  
> 
> I would tend to agree.  Your real-world identity is tied to your
> ability to earn a living, so you have an incentive to protect its
> reputation.

The problem is, usually the tie is just the name... And my name is,
well, common. If you try to Google me, you'll easily get confused by
many people with the same name, some in IT business as well.

But maybe I'm the exception.

-- 
Best regards,
Michał Górny
<http://dev.gentoo.org/~mgorny/>

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 963 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 716 bytes --]

Am Mittwoch, 4. Januar 2017, 22:58:33 CET schrieb Michał Górny:

> > 
> > I would tend to agree.  Your real-world identity is tied to your
> > ability to earn a living, so you have an incentive to protect its
> > reputation.
> 
> The problem is, usually the tie is just the name... And my name is,
> well, common. If you try to Google me, you'll easily get confused by
> many people with the same name, some in IT business as well.
> 

Yep, true. I learned the annoying way that this is the one thing middle names 
are good for...

Cheers, 
Andreas "K."

[but now we're getting offtopic.... :)]

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Paweł Hajdan, Jr.]

[-- Attachment #1.1: Type: text/plain, Size: 660 bytes --]

On 04/01/2017 20:12, Michał Górny wrote:
> Isn't barrier of entry to Gentoo high enough already? I know many
> people refusing to join because they consider quizzes
> and the recruitment procedure to be too cumbersome and a waste of time.
> I can imagine requiring people to actually travel and make appointments
> with other Gentoo developers will only make things worse.

+1

By the way, now with git, why don't we change from quizzes to just
"submitted X high-quality PRs and got support from Z existing committers"?

Chromium project does that successfully - see
<https://www.chromium.org/getting-involved/become-a-committer> .

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Thu, Jan 5, 2017 at 8:15 AM, Paweł Hajdan, Jr. <phajdan.jr@gentoo.org> wrote:
>
> By the way, now with git, why don't we change from quizzes to just
> "submitted X high-quality PRs and got support from Z existing committers"?
>

The quizzes cover a lot of organizational information that have
nothing to do with writing ebuilds, like the very first one: "When is
it appropriate to post to the following mailing lists: gentoo-core,
gentoo-dev, gentoo-dev-announce, gentoo-project? Provide examples of
topics that are appropriate for each one of them."

Additionally the quiz covers a pretty broad variety of topics that
just a few pull requests might not hit.  Gentoo also doesn't use CI
and tinderboxing/etc so it is important to make sure devs are aware
that they need to run repoman on all commits/etc.

The quiz interaction is also intended to help the mentor get to know
the applicant, and later for the recruiters to do the same.  There are
certainly other ways of doing that, but I suspect they'd involve a
similar amount of back and forth since the only way to get to know
somebody is to interact with them.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 3313 bytes --]

On Thursday, January 5, 2017 8:46:32 AM EST Rich Freeman wrote:
> On Thu, Jan 5, 2017 at 8:15 AM, Paweł Hajdan, Jr. <phajdan.jr@gentoo.org> 
wrote:
> > By the way, now with git, why don't we change from quizzes to just
> > "submitted X high-quality PRs and got support from Z existing committers"?
> 
> The quizzes cover a lot of organizational information that have
> nothing to do with writing ebuilds, like the very first one: "When is
> it appropriate to post to the following mailing lists: gentoo-core,
> gentoo-dev, gentoo-dev-announce, gentoo-project? Provide examples of
> topics that are appropriate for each one of them."

It is exactly that sort of stuff that causes issues for some. Why one of my 
recruiting attempts took 2 hours on the 1st quiz and did not make it half way 
through the 1st of 3 quizzes total.

From my attempt to return in 2011. Note the returning dev comment, 2010-12-21, 
and nothing from recruiting for months. Then on 2011-03-09 
https://bugs.gentoo.org/show_bug.cgi?id=135927#c27

Some may disagree with organizational information, list usage, etc. Some stuff 
like list usage is not so controversial but could become such. Questions 
relating to conflicts should not be part of quiz, IMHO. To much focus on 
organizational stuff that is pretty moot. 

Said another way, many do not care about Gentoo organizationally and not sure 
it is crucial they know that stuff to contribute. 

> Additionally the quiz covers a pretty broad variety of topics that
> just a few pull requests might not hit.  Gentoo also doesn't use CI
> and tinderboxing/etc so it is important to make sure devs are aware
> that they need to run repoman on all commits/etc.

The Java Quiz is such, but many work on Java ebuilds never having taken that 
technical quiz. It is a soft requirement for joining the team but not a hard.

> The quiz interaction is also intended to help the mentor get to know
> the applicant, and later for the recruiters to do the same.  

I think the mentor should be getting to know the applicant in working with 
them in general. Quiz review as a tool for recruiters to get to know someone 
is HORRIBLE.

Someone may have contributed for a very long time. Recruiters may be much 
newer, and their first interaction be during recruitment/quiz review. They will 
not take the time to truly get to know someone. Though they will judge them on 
their interaction as they are "qualifying" them socially and otherwise.

Recruiters should get to know recruits far in advance of a quiz.  Recruiters 
need to recruit, not just process quizzes as if they are HR. If recruiters 
knew people, I feel the entire process would be much smoother and faster.

> There are
> certainly other ways of doing that, but I suspect they'd involve a
> similar amount of back and forth since the only way to get to know
> somebody is to interact with them.

Interaction is the only way. Not just once or twice, but over a period of 
time. Or they should take the word of those who have interacted with them over 
time. Mentoring developer, or other developers.

For many the only time they will interact with a recruiter is during quiz 
review and such, and that is NOT a good way to get to know someone.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Thu, Jan 5, 2017 at 12:46 PM, William L. Thomson Jr.
<wlt-ml@o-sinc.com> wrote:
>
> Some may disagree with organizational information, list usage, etc. Some stuff
> like list usage is not so controversial but could become such.

Agreement is not required, merely understanding and an agreement to
comply.  Those who lack this can of course contribute pull requests,
though they can still be subject to moderation/etc if they abuse the
lists.

> Questions
> relating to conflicts should not be part of quiz, IMHO. To much focus on
> organizational stuff that is pretty moot.
>
> Said another way, many do not care about Gentoo organizationally and not sure
> it is crucial they know that stuff to contribute.

Of course, people don't have to know anything about Gentoo to
contribute.  They do need to understand things if they want to become
an official dev, however.  Being a dev isn't just about writing code.

Conflict management is fairly critical since almost everybody who has
ever been forced to leave the organization has been the result of
conflicts (and that certainly goes WAY back before I became a dev).
Sure, Gentoo doesn't exist simply so that we can have conflicts and
manage them, but it is fairly important since it seems to be the thing
that goes wrong most often.

>
> Recruiters should get to know recruits far in advance of a quiz.  Recruiters
> need to recruit, not just process quizzes as if they are HR. If recruiters
> knew people, I feel the entire process would be much smoother and faster.
>

Sure, but that requires a MUCH larger commitment than is already
required, and we have a manpower shortage with recruiters as it is.
Requiring somebody to really get to know a recruiter before they can
become a dev seems like a pretty big barrier.  Some people don't even
want to use IRC.

So, right now the role of getting to know applicants is more that of
the mentor, and the recruiters are more of a quality check since
anybody can be a mentor (which is a good thing).  That allows more
people to be in the role of getting new people plugged in, while still
maintaining some kind of quality/consistency at the end.

Perhaps we're just getting stuck on the name "recruiter."  Perhaps
mentors should be viewed as those doing the recruiting (and anybody
can be a mentor at any time), and what we call recruiters should be
viewed as something like lead recruiters or such.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 4945 bytes --]

On Thursday, January 5, 2017 1:02:02 PM EST Rich Freeman wrote:
> On Thu, Jan 5, 2017 at 12:46 PM, William L. Thomson Jr.
> 
> <wlt-ml@o-sinc.com> wrote:
> > Some may disagree with organizational information, list usage, etc. Some
> > stuff like list usage is not so controversial but could become such.
> 
> Agreement is not required, merely understanding and an agreement to
> comply.  Those who lack this can of course contribute pull requests,
> though they can still be subject to moderation/etc if they abuse the
> lists.

I have a very in depth understanding of Gentoo organizationally and I 
vehemently disagree with most all. Thus the crux.

Any moderation can be circumvented. Look how hard it is to prove identity 
digitally. Discussed in this very thread. You can prevent someone from 
committing, that is about it. But in doing such you hold things back.

> Of course, people don't have to know anything about Gentoo to
> contribute.  They do need to understand things if they want to become
> an official dev, however.  Being a dev isn't just about writing code.

That is all being a developer is, writing code. Everything else is separated 
into the Foundation for the most part. If your not writing code, your staff.

No one needs to understand Gentoo organizationally to write ebuilds, or 
contribute. Most do not care to truly understand the organization. They are 
not learning, they are just answering quiz questions to get past that part.
 
> Conflict management is fairly critical since almost everybody who has
> ever been forced to leave the organization has been the result of
> conflicts (and that certainly goes WAY back before I became a dev).
> Sure, Gentoo doesn't exist simply so that we can have conflicts and
> manage them, but it is fairly important since it seems to be the thing
> that goes wrong most often.

Gentoo focuses way to much on such. Gentoo perpetually creates such conflicts, 
and the project has been quagmired in them while others move on. When you have 
such from the get go in both CoC and Quizzes its naturally to happen. You 
making it such almost via prophecy.

> Sure, but that requires a MUCH larger commitment than is already
> required, and we have a manpower shortage with recruiters as it is.
> Requiring somebody to really get to know a recruiter before they can
> become a dev seems like a pretty big barrier.  Some people don't even
> want to use IRC.

Not at all, I have for many years provided many suggestions to improve 
recruiting. I would be part of the man power to help recruiting and getting 
others on board.

This is in a sense where most of my anger or animosity comes from. Not only am 
I being held back, but any benefit I could bring to Gentoo is held back. What 
if I could get more Java devs, more devs, more recruiters and help Gentoo 
grow.

The simplest solution to recruiting is pro-active. Recruiters pay attention to 
contributors, who is contributing. They contact them, via email, irc, etc. 
They establish a relationship just like any recruiter placing someone for a 
job who is any good would do. 

The more time spent in out reach will be directly saved when it comes to 
processing the recruit as they are known. Work has been observed, etc.
 
> So, right now the role of getting to know applicants is more that of
> the mentor, and the recruiters are more of a quality check since
> anybody can be a mentor (which is a good thing).  That allows more
> people to be in the role of getting new people plugged in, while still
> maintaining some kind of quality/consistency at the end.

Yes but also allows recruiters who have less contact to judge someone and 
disagree with the mentor.

Said another way, The mentor Vouches for the recruit.  When a recruiter feels 
someone is not right, but the mentor vouching for them does. That basically 
means the recruiter does not trust a developer who has more experience with 
the persons judgement. That does not make any sense, and IMHO is disrespectful 
to the mentor.

After all the mentor will work with a recruit much more and longer than a 
recruiter. Both before and after recruitment. Thus recruiters should always 
take the word of the vouching mentor/developer over their own limited opinion.

> Perhaps we're just getting stuck on the name "recruiter."  Perhaps
> mentors should be viewed as those doing the recruiting (and anybody
> can be a mentor at any time), and what we call recruiters should be
> viewed as something like lead recruiters or such.

That may make sense. Then again a recruiter should not say someone is not a 
good fit for Gentoo if a mentor feels otherwise.

None the less, effort should be made to contact contributors and convert them 
to developers. What name is given to the project/team, etc is moot. It is the 
actions and efforts that matter. Establishing and growing a relationship.

How do you do community relations, without relations?

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Thu, Jan 5, 2017 at 1:53 PM, William L. Thomson Jr.
<wlt-ml@o-sinc.com> wrote:
>
> Gentoo focuses way to much on such. Gentoo perpetually creates such conflicts,
> and the project has been quagmired in them while others move on. When you have
> such from the get go in both CoC and Quizzes its naturally to happen. You
> making it such almost via prophecy.
>

Two things:

First, serious conflicts are actually pretty rare.  Sure, they're in
the spotlight right now because we've had one of those
once-in-a-few-years big incidents.

Second, conflicts don't actually result in quagmires.  Life moves on.
We don't have difficulty deciding what to do with problematic people.
A decision gets made, and sometimes it is appealed, and then a final
decision gets made.

I'm not sure why you think Gentoo uses consensus-based
decision-making.  Most big things happen simply by announcing them on
the lists and then change happens.  Sometimes it is controversial, so
then it waits for the next Council meeting, assuming the Council even
needs to deal with it as opposed to a project team.  Then the decision
is made, and life moves on.

Now, what we don't do is have the Council just come out with policies
out of nowhere that nobody else agrees with.  That isn't being
decisive, that is just being stupid when you're a volunteer-based
organization.  Sure, many of our decisions are compromises, but they
tend to be compromises that make sense.

>
> Not at all, I have for many years provided many suggestions to improve
> recruiting. I would be part of the man power to help recruiting and getting
> others on board.
>

Well, not until you get around appealing that decision to not be
allowed back in you claim you were the subject of.  Then we can look
forward to a final decision rather than this "quagmire" of emails.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 2531 bytes --]

On Thursday, January 5, 2017 2:15:36 PM EST Paweł Hajdan, Jr. wrote:
> On 04/01/2017 20:12, Michał Górny wrote:
> > Isn't barrier of entry to Gentoo high enough already? I know many
> > people refusing to join because they consider quizzes
> > and the recruitment procedure to be too cumbersome and a waste of time.
> > I can imagine requiring people to actually travel and make appointments
> > with other Gentoo developers will only make things worse.
> 
> +1
> 
> By the way, now with git, why don't we change from quizzes to just
> "submitted X high-quality PRs and got support from Z existing committers"?

+1

There also needs to be something in place for returning Developers, who are 
not green, and likely do not need to go through all the same recruitment 
processes. But Gentoo has never addressed that, and returning developers seem 
pretty rare.

Also while I agree, there is still a need for minimal technical quizzes. There 
is some benefit to the technical sides. At the same time some may only be 
interested in very limited things, and taking the various quizzes as is now,  
does not make sense.

Like take icedtea/openjdk. It does not make sense for the maintainer, RedHat 
employee to go through normal Gentoo recruitment. They will most likely NEVER 
touch any other package, unless it directly relates to icedtea/openjdk.

That icedtea is mostly developed on Gentoo, but the person is not a Gentoo 
developer due to Gentoo recruitment policies I think is dumb. Gentoo could 
have the author as a Developer, in addition to a RedHat employee. That would 
further put Gentoo in its role as helping to further develop FOSS Java. Which 
again all icedtea/openjdk efforts originate on Gentoo, then go to Fedora, 
RHEL, Debian, etc...

It has driven me nuts for years, stupid Gentoo policies prevent such. The 
result is a developer constantly has to proxy icedtea/openjdk stuff from java-
overlay to tree. Rather than it being done in tree from the start....

I also do not see to many companies, being willing to pay people to spend time 
taking Gentoo quizzes and going through Gentoo recruitment. Just like the java 
situation, RedHat is not going to pay them to become a Gentoo Dev. But RedHat 
is paying for FOSS Java development. That is expecting anyone who may need to 
work on Gentoo for their employer have to do somethings like recruitment in 
their off hours. Or just contribute from outside and never become a Developer.

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Thu, Jan 5, 2017 at 12:55 PM, William L. Thomson Jr.
<wlt-ml@o-sinc.com> wrote:
>
> I also do not see to many companies, being willing to pay people to spend time
> taking Gentoo quizzes and going through Gentoo recruitment. Just like the java
> situation, RedHat is not going to pay them to become a Gentoo Dev. But RedHat
> is paying for FOSS Java development. That is expecting anyone who may need to
> work on Gentoo for their employer have to do somethings like recruitment in
> their off hours. Or just contribute from outside and never become a Developer.
>

Do you think that RedHat would be willing to give somebody an
@redhat.com email address if they haven't in any way gone through the
RedHat new employee onboarding process?

Sure they'd happily accept somebody's contributions, but that is
different from making them part of their organization.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 821 bytes --]

On Thursday, January 5, 2017 1:04:49 PM EST Rich Freeman wrote:
>
> Do you think that RedHat would be willing to give somebody an
> @redhat.com email address if they haven't in any way gone through the
> RedHat new employee onboarding process?

Most companies have like Employee Handbooks or other policies they are not 
quizzed or tested on but must adhere to. If they are hiring a programmer, they 
may test them on programming skills. But I highly doubt most companies make 
employees learn the organization, take tests/quizzes on the organization, 
conflict resolution etc.

Speaking of RedHat, check this out. All they have to do is sign and 
acknowledge not be tested, etc.

https://investors.redhat.com/~/media/Files/R/Red-Hat-IR/governance-docs/code-of-business-conduct-and-ethics.pdf

-- 
William L. Thomson Jr.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Daniel Campbell]

[-- Attachment #1.1: Type: text/plain, Size: 2680 bytes --]

On 01/05/2017 11:03 AM, William L. Thomson Jr. wrote:
> On Thursday, January 5, 2017 1:04:49 PM EST Rich Freeman wrote:
>>
>> Do you think that RedHat would be willing to give somebody an
>> @redhat.com email address if they haven't in any way gone through the
>> RedHat new employee onboarding process?
> 
> Most companies have like Employee Handbooks or other policies they are not 
> quizzed or tested on but must adhere to. If they are hiring a programmer, they 
> may test them on programming skills. But I highly doubt most companies make 
> employees learn the organization, take tests/quizzes on the organization, 
> conflict resolution etc.
> 
> Speaking of RedHat, check this out. All they have to do is sign and 
> acknowledge not be tested, etc.
> 
> https://investors.redhat.com/~/media/Files/R/Red-Hat-IR/governance-docs/code-of-business-conduct-and-ethics.pdf
> 

I'm generally in favor of streamlining things, but we need to look
beyond. Let's say we lower the barrier, no quizzes. A good conversation
about Gentoo, exchange some keys, they get sent a document, they sign
their name and encrypt it, bam they're a Gentoo dev in less than a week.

All goes well until "oops, this new guy pushed an ebuild without an
EAPI" or "the new guy didn't update the keywords for the version bump so
now it's considered stable and shouldn't", or "the new guy didn't run
repoman and now their metadata.xml doesn't adhere to the schema".

The quizzes serve as a) notes for future reference, and b) proves that
an individual is willing to research to solve their problem. You're not
expected to know the answers to the quizzes when you first take them.
The process of research exposes you to more information about Gentoo's
inner workings, including the PMS, which is a valuable resource whenever
you come across a weird aspect of ebuilds.

That's why we try to keep information in the devmanual up to date. It's
our best reference to the practices within Gentoo.

Introducing new developers that may not even know about repoman is a QA
disaster. We need to, one way or another, verify that the person up for
devship is competent enough to not break the things they touch. I think
that's a fair requirement, and honestly I felt that going through my
quizzes was more educational than the 3 years of casual Gentoo use that
I went through before that time.

There's a middle-ground somewhere between "everyone's free to join and
do whatever" and "only the most elite can tread here".

-- 
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Paweł Hajdan, Jr.]

[-- Attachment #1.1: Type: text/plain, Size: 1474 bytes --]

On 10/01/2017 08:12, Daniel Campbell wrote:
> All goes well until "oops, this new guy pushed an ebuild without an
> EAPI" or "the new guy didn't update the keywords for the version bump so
> now it's considered stable and shouldn't", or "the new guy didn't run
> repoman and now their metadata.xml doesn't adhere to the schema".

I'd expect that to be covered by a number of non-trivial PRs.

Similarly, this is something I'd be looking for when deciding whether to
support someone's nomination for developer. If the evidence is not
conclusive, I'd ask for more nontrivial changes, or maybe the quiz.

> The quizzes serve as a) notes for future reference, and b) proves that
> an individual is willing to research to solve their problem. You're not
> expected to know the answers to the quizzes when you first take them.
> The process of research exposes you to more information about Gentoo's
> inner workings, including the PMS, which is a valuable resource whenever
> you come across a weird aspect of ebuilds.

Right, the quiz question often cover some corner/tricky cases which one
might not otherwise encounter.

Even devs after quiz make mistakes though, and it's not obvious when we
reach a point of diminishing returns, where it'd be easier to quickly
fix an occasional minor mistake, and have more contributions overall,
than deal with under-staffing issues which also have consequences in
some bugs not being solved at all.

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Daniel Campbell]

[-- Attachment #1.1: Type: text/plain, Size: 535 bytes --]

On 01/04/2017 11:12 AM, Michał Górny wrote:
> I can't really imagine finding time to
> go and collect Gentoo Pokémon.

That actually sounds like a clever way to get people (as in the
community) to work on more bugs. Have bug-finder ranks or something, and
solving a broad variety of bugs would grant badges.

It's not practical in the slightest but the thought is amusing.

-- 
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Dirkjan Ochtman]

On Wed, Jan 4, 2017 at 6:58 PM, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> With increasing focus on security in various contexts I'd like to
> propose that we start discussing catching up with other distributions
> and start requiring new developers' OpenPGP keyblocks to have at least
> two signatures from existing developers before applications can be
> made[A]. Amongst other things This helps building the Gentoo Web of Trust.

I like your proposal in abstracto (and I have the good luck of having
been at FOSDEM once, where I gathered some signatures, including
yours), but I agree with Rich and Michał in that I'm not sure how this
is practical, in the sense of not putting up another pretty big
barrier to entry for new developers. Do you have an idea for this in
mind that does not actually require expensive (in time and money) IRL
meetings?

Cheers,

Dirkjan

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1452 bytes --]

On 01/04/2017 08:43 PM, Dirkjan Ochtman wrote:
> On Wed, Jan 4, 2017 at 6:58 PM, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>> With increasing focus on security in various contexts I'd like to
>> propose that we start discussing catching up with other distributions
>> and start requiring new developers' OpenPGP keyblocks to have at least
>> two signatures from existing developers before applications can be
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
> 
> I like your proposal in abstracto (and I have the good luck of having
> been at FOSDEM once, where I gathered some signatures, including
> yours), but I agree with Rich and Michał in that I'm not sure how this
> is practical, in the sense of not putting up another pretty big
> barrier to entry for new developers. Do you have an idea for this in
> mind that does not actually require expensive (in time and money) IRL
> meetings?

If they are active in existing communities where Gentoo Developers
participate, you could argue for a signature (likely 0x12 c.f RFC4880
and not a 0x10 or 0x13) by using video chat and passport display in real
time. Its not something I personally do, but I know others consider it
sufficient if they have a sufficient relationship though other channels.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 700 bytes --]

On 01/04/2017 06:58 PM, Kristian Fiskerstrand wrote:
> With increasing focus on security in various contexts I'd like to
> propose that we start discussing catching up with other distributions
> and start requiring new developers' OpenPGP keyblocks to have at least
> two signatures from existing developers before applications can be
> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
> 

Since the qa-report one is down, this is the current Gentoo WoT:
https://download.sumptuouscapital.com/gentoo/gentoo-devs.png

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Michael Orlitzky]

On 01/04/2017 02:47 PM, Kristian Fiskerstrand wrote:
> On 01/04/2017 06:58 PM, Kristian Fiskerstrand wrote:
>> With increasing focus on security in various contexts I'd like to
>> propose that we start discussing catching up with other distributions
>> and start requiring new developers' OpenPGP keyblocks to have at least
>> two signatures from existing developers before applications can be
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
>>

By analogy with the CA system for websites: I don't care if the
government of China thinks you're the Bank of America. All I want to
know is, are you the guy that has my money?

Likewise, I don't care if Michał thinks you look like Kristian
Fiskerstrand. All I want to know is, are you the guy that passed the
quizzes and pasted his key into LDAP? You can change your name, move to
another country, switch genders -- I don't care -- you'll always be
0x0B7F8B60E3EDFAE3 to me. Having others verify your name is interesting
metadata, but it isn't your primary key.

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 2227 bytes --]

On 01/04/2017 09:14 PM, Michael Orlitzky wrote:
> On 01/04/2017 02:47 PM, Kristian Fiskerstrand wrote:
>> On 01/04/2017 06:58 PM, Kristian Fiskerstrand wrote:
>>> With increasing focus on security in various contexts I'd like to
>>> propose that we start discussing catching up with other distributions
>>> and start requiring new developers' OpenPGP keyblocks to have at least
>>> two signatures from existing developers before applications can be
>>> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
>>>
> 
> By analogy with the CA system for websites: I don't care if the
> government of China thinks you're the Bank of America. All I want to
> know is, are you the guy that has my money?
> 
> Likewise, I don't care if Michał thinks you look like Kristian
> Fiskerstrand. All I want to know is, are you the guy that passed the
> quizzes and pasted his key into LDAP? You can change your name, move to
> another country, switch genders -- I don't care -- you'll always be
> 0x0B7F8B60E3EDFAE3 to me. Having others verify your name is interesting
> metadata, but it isn't your primary key.
> 
> 

Hopefully the ID would be the full fingerprint and not the keyid :) But
this is likely sufficient for existing developers, indeed, because trust
is built over time. However, when bringing in new developers that have
full commit access to the tree this becomes more murky. One way to
restrict that is of course a review system and partitioning on the areas
it is possible to contribute, but for the overall community building, I
consider having a stronger OpenPGP Web of Trust necessary, and that
includes entrance of new developers.

That might mean that the proposal is a two step rocket, first we need to
build a stronger Web of Trust amongst existing developers and get more
visibility in participation in local events happening around, which is
also constructive in terms of attracting new recruits. And once that is
established start enforcing more stringent rules when it comes to new
developer applications.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Michael Orlitzky]

I'm not sold -- I just don't see how having my key signed provides any
additional trust at this point. It looks like the closest developers to
me are pesa and tetromino (hi!) at around 45 miles.

Suppose I go meet Davide. We can either,

  a) Verify that we both have driver's licenses with the correct
     information, and sign each others keys to verify that we
     are who we say we are. This provides no additional security,
     because my legal name isn't what I use to commit, nor is it
     what you use to verify my commits.

  b) Verify that we can each SSH into dev.gentoo.org, confirming
     that I am really mjo and that he is really pesa. Again, we
     already know that the guy who has mjo's key is mjo and the guy
     who has pesa's key is pesa. Nothing new is learned.

If we do both, then you've learned that mjo was Michael Orlitzky at one
point in time. That's interesting metadata, but how does it provide
security?

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Paweł Hajdan, Jr.]

[-- Attachment #1.1: Type: text/plain, Size: 489 bytes --]

On 04/01/2017 22:19, Michael Orlitzky wrote:
>   b) Verify that we can each SSH into dev.gentoo.org, confirming
>      that I am really mjo and that he is really pesa. Again, we
>      already know that the guy who has mjo's key is mjo and the guy
>      who has pesa's key is pesa. Nothing new is learned.

Somewhat off-topic nit-picking: how would you verify the other person is
connecting to the real dev.gentoo.org instead of some local trickery on
their machine?

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Michael Orlitzky]

On 01/05/2017 08:10 AM, Paweł Hajdan, Jr. wrote:
> On 04/01/2017 22:19, Michael Orlitzky wrote:
>>   b) Verify that we can each SSH into dev.gentoo.org, confirming
>>      that I am really mjo and that he is really pesa. Again, we
>>      already know that the guy who has mjo's key is mjo and the guy
>>      who has pesa's key is pesa. Nothing new is learned.
> 
> Somewhat off-topic nit-picking: how would you verify the other person is
> connecting to the real dev.gentoo.org instead of some local trickery on
> their machine?
> 

Not at all, it's fun to think about. I could create a text file on the
server while I've got eyes on the other guy. Our home directories are
world-traversable, and if he can cat /home/mjo/path/to/whatever.txt and
it looks correct, then I would be convinced.

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Brian Evans]

[-- Attachment #1.1: Type: text/plain, Size: 1022 bytes --]

On 1/4/2017 2:47 PM, Kristian Fiskerstrand wrote:
> On 01/04/2017 06:58 PM, Kristian Fiskerstrand wrote:
>> With increasing focus on security in various contexts I'd like to
>> propose that we start discussing catching up with other distributions
>> and start requiring new developers' OpenPGP keyblocks to have at least
>> two signatures from existing developers before applications can be
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
>>
> 
> Since the qa-report one is down, this is the current Gentoo WoT:
> https://download.sumptuouscapital.com/gentoo/gentoo-devs.png
> 

What this doesn't show are the developers (including me) who have no
signatures or none relating to Gentoo.

Besides Gentoo, I have little to no interaction with anyone who even
knows what GPG even is.

I don't agree with making this a requirement or even having another hoop
to jump through for those who cannot travel.  Not everyone has the
luxury of going from place to place.

Brian


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 834 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Daniel Campbell]

[-- Attachment #1.1: Type: text/plain, Size: 947 bytes --]

On 01/04/2017 11:47 AM, Kristian Fiskerstrand wrote:
> On 01/04/2017 06:58 PM, Kristian Fiskerstrand wrote:
>> With increasing focus on security in various contexts I'd like to
>> propose that we start discussing catching up with other distributions
>> and start requiring new developers' OpenPGP keyblocks to have at least
>> two signatures from existing developers before applications can be
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
>>
> 
> Since the qa-report one is down, this is the current Gentoo WoT:
> https://download.sumptuouscapital.com/gentoo/gentoo-devs.png
> 

Strange, I don't see myself or chutzpah on that image, but we exchanged
keys in person and signed each other's keys. Is there something off in
the relation of our keys?

-- 
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 423 bytes --]

On 01/10/2017 08:21 AM, Daniel Campbell wrote:
> E03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6

https://sks-keyservers.net/pks/lookup?op=vindex&search=0xAE039064AE00053C270C1DE46F7A90911EA055D6

doesn't list any signature for your keyblock connecting it to the set

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 335 bytes --]

On 01/10/2017 08:21 AM, Daniel Campbell wrote:
> Strange, I don't see myself or chutzpah on that image, but we exchanged

For chutzpah, look between robbat2 and pinkbyte somewhere :)

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Alice Ferrazzi]

On January 5, 2017 2:58:26 AM GMT+09:00, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
>With increasing focus on security in various contexts I'd like to
>propose that we start discussing catching up with other distributions
>and start requiring new developers' OpenPGP keyblocks to have at least
>two signatures from existing developers before applications can be
>made[A]. Amongst other things This helps building the Gentoo Web of
>Trust.
>
>
>E.g [Debian] has the following requirement: "To maintain the strong Web
>of Trust that connects all Debian Developers, Applicants need to
>identify themselves by providing an OpenPGP key that is signed by at
>least two official Developers. To further ensure their identity,
>signatures by other people (who do not need to be DDs, but should be
>well connected in the overall Web of Trust) are strongly recommended."
>

Debian can work with Web of Trust because of the annual Debconf and/or some local Debian meeting. 
I think Gentoo approaches and objectives are different. 
Gentoo is looking more at the technical skill of the person, not at how much is well connected. 
imho

>
>References:
>
>[Debian] https://www.debian.org/devel/join/nm-checklist
>
>
>Endnotes:
>
>[A] Possibly with an opt-out by application to council, in case there
>are certain regions where this is considered non-feasable etc.

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1093 bytes --]

On 01/04/2017 09:00 PM, Alice Ferrazzi wrote:

> On January 5, 2017 2:58:26 AM GMT+09:00, Kristian Fiskerstrand <k_f@gentoo.org> wrote:


>>
>> E.g [Debian] has the following requirement: "To maintain the strong Web
>> of Trust that connects all Debian Developers, Applicants need to
>> identify themselves by providing an OpenPGP key that is signed by at
>> least two official Developers. To further ensure their identity,
>> signatures by other people (who do not need to be DDs, but should be
>> well connected in the overall Web of Trust) are strongly recommended."
>>
> 
> Debian can work with Web of Trust because of the annual Debconf and/or some local Debian meeting. 
> I think Gentoo approaches and objectives are different. 
> Gentoo is looking more at the technical skill of the person, not at how much is well connected. 
> imho
> 

This sounds like we need more Gentoo events, I know you're working on it :)


-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1901 bytes --]

On Wed, 4 Jan 2017 18:58:26 +0100 Kristian Fiskerstrand wrote:
> With increasing focus on security in various contexts I'd like to
> propose that we start discussing catching up with other distributions
> and start requiring new developers' OpenPGP keyblocks to have at least
> two signatures from existing developers before applications can be
> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
> 
> 
> E.g [Debian] has the following requirement: "To maintain the strong Web
> of Trust that connects all Debian Developers, Applicants need to
> identify themselves by providing an OpenPGP key that is signed by at
> least two official Developers. To further ensure their identity,
> signatures by other people (who do not need to be DDs, but should be
> well connected in the overall Web of Trust) are strongly recommended."
> 
> 
> References:
> 
> [Debian] https://www.debian.org/devel/join/nm-checklist
> 
> 
> Endnotes:
> 
> [A] Possibly with an opt-out by application to council, in case there
> are certain regions where this is considered non-feasable etc.
> 

This will be next to impossible for many candidates. What about
people who don't have Gentoo devs nearby? They have to flight
(probably to some event) to meet them. What if this is too
expensive for them, or they can't leave their country due to
various reasons, or they just don't have time slot to visit
particular event?

Frankly, with such requirement I could not have become developer
myself back then in 2014.

And what about anonymous developers? We do have them and in modern
world people may have good reasons to stay anonymous. Just reminds
me about US braindead law allowing company to own all code written
by dev, while he/she is employed, even when that code was written
using during off-duty hours or vacation days.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1515 bytes --]

On 01/04/2017 09:46 PM, Andrew Savchenko wrote:
> On Wed, 4 Jan 2017 18:58:26 +0100 Kristian Fiskerstrand wrote:


>> Endnotes:
>>
>> [A] Possibly with an opt-out by application to council, in case there
>> are certain regions where this is considered non-feasable etc.
>>
> 
> This will be next to impossible for many candidates. What about
> people who don't have Gentoo devs nearby? They have to flight
> (probably to some event) to meet them. What if this is too
> expensive for them, or they can't leave their country due to
> various reasons, or they just don't have time slot to visit
> particular event?

This would be Note A, to allow for consideration on a per-case basis

> 
> Frankly, with such requirement I could not have become developer
> myself back then in 2014.
> 
> And what about anonymous developers? We do have them and in modern
> world people may have good reasons to stay anonymous. Just reminds
> me about US braindead law allowing company to own all code written
> by dev, while he/she is employed, even when that code was written
> using during off-duty hours or vacation days.

Anonymous developers cause issues in other aspects as well, including
copyright considerations. I'm not convinced it is necessarily a good
thing to support it to a great extent.

> 
> Best regards,
> Andrew Savchenko
> 


-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

>>>>> On Wed, 4 Jan 2017, Kristian Fiskerstrand wrote:

> On 01/04/2017 09:46 PM, Andrew Savchenko wrote:
>> And what about anonymous developers? We do have them and in modern
>> world people may have good reasons to stay anonymous. Just reminds
>> me about US braindead law allowing company to own all code written
>> by dev, while he/she is employed, even when that code was written
>> using during off-duty hours or vacation days.

> Anonymous developers cause issues in other aspects as well, including
> copyright considerations. I'm not convinced it is necessarily a good
> thing to support it to a great extent.

Right, copyright issues alone are reason enough that developers should
commit under their real name. Recruiters have it in their rules [1]
since a long time that no exceptions to that rule will be made for
devs doing copyrightable work. So this isn't anything new.

Also I'm pretty sure that US law (or rather employment contracts)
doesn't differentiate between somebody committing under their real
name or under a pseudonym. The latter just hides the problem and has
a potential for repercussions at some later time.

Ulrich

[1] https://wiki.gentoo.org/wiki/Project:Recruiters#What_does_the_recruitment_process_involve.3F

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Rich Freeman]

On Wed, Jan 4, 2017 at 3:46 PM, Andrew Savchenko <bircoph@gentoo.org> wrote:
>
> And what about anonymous developers? We do have them and in modern
> world people may have good reasons to stay anonymous.

While we have occasionally allowed individuals to not publish their
real name (which I'm not entirely convinced is a great idea), we do
require that all developers disclose their names for legal reasons.
Now, the reality is that we don't currently rigorously verify the
names that are supplied.

In at least some situations somebody who has a need to protect their
identity may be eligible to have their government issue an ID under
another name legally, which would be an ideal solution to this
problem.  That also takes us out of the role of having to vet the
legitimacy of such requests.

> Just reminds
> me about US braindead law allowing company to own all code written
> by dev, while he/she is employed, even when that code was written
> using during off-duty hours or vacation days.
>

A citation would be welcome on that "law."  :)

The actual laws say that copyright is owned by the author, unless it
is a work for hire, or unless it is transferred.  Now, employment
contracts often make grandiose claims of ownership to anything
somebody does, but the extent to which these claims are enforceable in
court is a bit dubious.  If the work is related to the area of
somebody's employment then there probably is a pretty strong claim to
the work under US law, and I think the claims are hard to enforce if
the employee is a low-level employee and the work has no relationship
to what somebody is paid for.  And then there is every shade of grey
in-between.  It is like non-compete clauses: lots of companies have
them, but courts tend to be more reasonable in enforcing them.

In any case, either way we don't do ourselves any favors by keeping
somebody anonymous.  If somebody has a legal claim on something
contributed to Gentoo it is better that we identify that issue before
it becomes deeply embedded in our codebase where it becomes much
harder to remove.  Hiding problems doesn't make them go away, and
willfully hiding them tends not to be looked at kindly in a court.

-- 
Rich

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Aaron Bauman]

[-- Attachment #1.1.1: Type: text/plain, Size: 2319 bytes --]


On 01/05/2017 02:58 AM, Kristian Fiskerstrand wrote:
> With increasing focus on security in various contexts I'd like to
> propose that we start discussing catching up with other distributions
> and start requiring new developers' OpenPGP keyblocks to have at least
> two signatures from existing developers before applications can be
> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
>
>
> E.g [Debian] has the following requirement: "To maintain the strong Web
> of Trust that connects all Debian Developers, Applicants need to
> identify themselves by providing an OpenPGP key that is signed by at
> least two official Developers. To further ensure their identity,
> signatures by other people (who do not need to be DDs, but should be
> well connected in the overall Web of Trust) are strongly recommended."
>
>
> References:
>
> [Debian] https://www.debian.org/devel/join/nm-checklist
>
>
> Endnotes:
>
> [A] Possibly with an opt-out by application to council, in case there
> are certain regions where this is considered non-feasable etc.
>

Thanks for the proposal, Kristian. Overall, I think we do need some more
detail (for the masses) and possibly a GLEP drafted with those specifics.

Debian's model [1] seems very flexible and retains the ability for
developers to be exempted from the process due to extenuating
circumstances. There are no intentions of "locking" any one out because
of financial or geographical restraints.

The concerns about fakes and other avenues of deception are well
founded, but as of now Gentoo is wide open anyway. This model will allow
us to begin a long process of building the WoT which can only get better
if recruitment goes up. It really only makes things *better*.

Maybe it will encourage more social interaction as well. I have
conferenced with other developers via audio and maybe soon video. Not
only does it bring an aspect of personal interaction... it also brings a
new level of understanding instead of the textual medium we are all so
used to.

The ultimate goal here is to build the WoT, as you mentioned, and bring
more validity to our tree etc. I would be willing to help draft the GLEP
and ensure we meet such intent.

-Aaron

[1]: https://www.debian.org/events/keysigning



[-- Attachment #1.1.2: Type: text/html, Size: 4824 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

Re: [gentoo-project] Require OpenPGP signatures from existing devs on new developer applications?

[Daniel Campbell]

[-- Attachment #1.1: Type: text/plain, Size: 2882 bytes --]

On 01/06/2017 01:44 AM, Aaron Bauman wrote:
> 
> On 01/05/2017 02:58 AM, Kristian Fiskerstrand wrote:
>> With increasing focus on security in various contexts I'd like to
>> propose that we start discussing catching up with other distributions
>> and start requiring new developers' OpenPGP keyblocks to have at least
>> two signatures from existing developers before applications can be
>> made[A]. Amongst other things This helps building the Gentoo Web of Trust.
>>
>>
>> E.g [Debian] has the following requirement: "To maintain the strong Web
>> of Trust that connects all Debian Developers, Applicants need to
>> identify themselves by providing an OpenPGP key that is signed by at
>> least two official Developers. To further ensure their identity,
>> signatures by other people (who do not need to be DDs, but should be
>> well connected in the overall Web of Trust) are strongly recommended."
>>
>>
>> References:
>>
>> [Debian] https://www.debian.org/devel/join/nm-checklist
>>
>>
>> Endnotes:
>>
>> [A] Possibly with an opt-out by application to council, in case there
>> are certain regions where this is considered non-feasable etc.
>>
> 
> Thanks for the proposal, Kristian. Overall, I think we do need some more
> detail (for the masses) and possibly a GLEP drafted with those specifics.
> 
> Debian's model [1] seems very flexible and retains the ability for
> developers to be exempted from the process due to extenuating
> circumstances. There are no intentions of "locking" any one out because
> of financial or geographical restraints.
> 
> The concerns about fakes and other avenues of deception are well
> founded, but as of now Gentoo is wide open anyway. This model will allow
> us to begin a long process of building the WoT which can only get better
> if recruitment goes up. It really only makes things *better*.
> 
> Maybe it will encourage more social interaction as well. I have
> conferenced with other developers via audio and maybe soon video. Not
> only does it bring an aspect of personal interaction... it also brings a
> new level of understanding instead of the textual medium we are all so
> used to.
> 
> The ultimate goal here is to build the WoT, as you mentioned, and bring
> more validity to our tree etc. I would be willing to help draft the GLEP
> and ensure we meet such intent.
> 
> -Aaron
> 
> [1]: https://www.debian.org/events/keysigning
> 
> 
I'd be willing to help on drafting as well. Keysigning is something I've
been wanting to get into, and helping Gentoo makes it even better. I
could look into LUGs near me and see if they'd be receptive to an event
like that, if only to raise awareness for both PGP and Gentoo.

-- 
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]