Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust

public inbox for gentoo-project@lists.gentoo.org
 help / color / mirror / Atom feed

From: Alec Warner <antarus@gentoo.org>
To: k_f@gentoo.org
Cc: gentoo-project <gentoo-project@lists.gentoo.org>
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Thu, 31 Jan 2019 16:40:18 -0500	[thread overview]
Message-ID: <CAAr7Pr8BUqN2f2=QZRA2T7KDuNMbpp+hmMrzEDsGHnPaY2N0XQ@mail.gmail.com> (raw)
In-Reply-To: <337a117a-7b97-2000-f88e-2bd80cc15faa@gentoo.org>

[-- Attachment #1: Type: text/plain, Size: 2330 bytes --]

On Thu, Jan 31, 2019 at 3:31 PM Kristian Fiskerstrand <k_f@gentoo.org>
wrote:

> On 1/31/19 5:35 PM, Alec Warner wrote:
> >
> > My main problem with the GLEP is that it seems to propose a WoT for
> > a WoT's sake and my question then becomes "why do we need a WoT?"
> >
> > As in, what does a WoT enable the project to do that it cannot do
> > now?
>
> There are multiple aspects to this, and I'm only commenting the way I
> see it here.
>
> being part of the WoT allows external parties to find a trust path to
> gentoo developers, e.g when it comes to relying on communication in
> various channels. This part could also be solved by infra running a
> Gentoo Developer CA that signs all developers' Transferable Public Key
> (TSP, aka public key).
>

So we have a website that lists all of our developers and their gpg-fps
already. I realize that mgorny will object that this is a 'nonstandard
tool' or somesuch, but I think from my POV its a pretty straightforward
tool. Obviously it requires trusting www.gentoo.org and our CA (of which we
do not run our own, so it is letsencrypt, IIRC.)


>
> More generally, being part of the WoT can demonstrate participation in
> various developer communities. A user that is involved in various
> upstream projects and familiar with them already can potentially be more
> valuable as a developer for Gentoo, and can also potentially be a factor
> for reduced tension between developers as they have demonstrated being
> part of other communities already.
>

I agree this is a benefit, but is not sufficient to be mandatory.


>
> In addition comes a better certainty about the UID used for copyright in
> signed-off-by, we as a distribution rely on this for both developers and
> external contributors, and we need to demonstrate that we have taken
> reasonable measures to ensure that what we add is unencumbered.
>

I assume this is where the mandatory bits come in (and obviously where all
of the exciting politicking will happen around who owns how to assess and
address risk to "gentoo" and what "gentoo" is and so forth.)

To that end, is the WoT also mandatory for contributors? I didn't see
anything in the GLEP about it.

-A


> --
> Kristian Fiskerstrand
> OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
>
>

[-- Attachment #2: Type: text/html, Size: 3535 bytes --]

next prev parent reply	other threads:[~2019-01-31 21:40 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-31 13:56 [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust Michał Górny
2019-01-31 14:21 ` Brian Evans
2019-01-31 15:33   ` Matthew Thode
2019-02-01  2:48   ` Sam Jorna (wraeth)
2019-02-01  6:57   ` Michał Górny
2019-02-01 14:43     ` Brian Evans
2019-02-02  6:00     ` desultory
2019-01-31 15:32 ` Matthew Thode
2019-02-01 12:47   ` Andreas K. Huettel
2019-02-01 14:17     ` Cynede
2019-02-01 14:32       ` Rich Freeman
2019-02-01 14:53         ` Kristian Fiskerstrand
2019-02-01 17:27           ` Kristian Fiskerstrand
2019-02-01 20:46             ` Rich Freeman
2019-02-02  6:02     ` desultory
2019-02-01 14:20   ` Michał Górny
2019-01-31 16:33 ` Kristian Fiskerstrand
2019-01-31 16:35 ` Alec Warner
2019-01-31 20:29   ` Kristian Fiskerstrand
2019-01-31 21:40     ` Alec Warner [this message]
2019-01-31 22:00       ` Kristian Fiskerstrand
2019-01-31 22:49       ` Michael Orlitzky
2019-02-01  0:09         ` Rich Freeman
2019-02-01  0:47           ` Kristian Fiskerstrand
2019-01-31 17:33 ` Rich Freeman
2019-02-01 12:51   ` Andreas K. Huettel
2019-02-01 13:25   ` Michał Górny
2019-02-02  5:55     ` desultory
2019-02-02 13:47       ` Rich Freeman
2019-01-31 19:25 ` Kristian Fiskerstrand
2019-02-01  0:41 ` Chris Reffett
2019-02-01  0:42   ` Kristian Fiskerstrand
2019-02-01  0:55     ` Chris Reffett
2019-02-01  1:56       ` Rich Freeman
2019-02-01 12:52         ` Andreas K. Huettel
2019-02-02  5:54 ` desultory

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAr7Pr8BUqN2f2=QZRA2T7KDuNMbpp+hmMrzEDsGHnPaY2N0XQ@mail.gmail.com' \
    --to=antarus@gentoo.org \
    --cc=gentoo-project@lists.gentoo.org \
    --cc=k_f@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox