On Thu, Jan 31, 2019 at 3:31 PM Kristian Fiskerstrand wrote: > On 1/31/19 5:35 PM, Alec Warner wrote: > > > > My main problem with the GLEP is that it seems to propose a WoT for > > a WoT's sake and my question then becomes "why do we need a WoT?" > > > > As in, what does a WoT enable the project to do that it cannot do > > now? > > There are multiple aspects to this, and I'm only commenting the way I > see it here. > > being part of the WoT allows external parties to find a trust path to > gentoo developers, e.g when it comes to relying on communication in > various channels. This part could also be solved by infra running a > Gentoo Developer CA that signs all developers' Transferable Public Key > (TSP, aka public key). > So we have a website that lists all of our developers and their gpg-fps already. I realize that mgorny will object that this is a 'nonstandard tool' or somesuch, but I think from my POV its a pretty straightforward tool. Obviously it requires trusting www.gentoo.org and our CA (of which we do not run our own, so it is letsencrypt, IIRC.) > > More generally, being part of the WoT can demonstrate participation in > various developer communities. A user that is involved in various > upstream projects and familiar with them already can potentially be more > valuable as a developer for Gentoo, and can also potentially be a factor > for reduced tension between developers as they have demonstrated being > part of other communities already. > I agree this is a benefit, but is not sufficient to be mandatory. > > In addition comes a better certainty about the UID used for copyright in > signed-off-by, we as a distribution rely on this for both developers and > external contributors, and we need to demonstrate that we have taken > reasonable measures to ensure that what we add is unencumbered. > I assume this is where the mandatory bits come in (and obviously where all of the exciting politicking will happen around who owns how to assess and address risk to "gentoo" and what "gentoo" is and so forth.) To that end, is the WoT also mandatory for contributors? I didn't see anything in the GLEP about it. -A > -- > Kristian Fiskerstrand > OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > >