Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust

public inbox for gentoo-project@lists.gentoo.org
 help / color / mirror / Atom feed

From: desultory <desultory@gentoo.org>
To: gentoo-project@lists.gentoo.org, "Michał Górny" <mgorny@gentoo.org>
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Sat, 2 Feb 2019 00:55:28 -0500	[thread overview]
Message-ID: <c94b722f-cc71-1862-889e-1c89a9ff8900@gentoo.org> (raw)
In-Reply-To: <1549027511.722.0.camel@gentoo.org>

On 02/01/19 08:25, Michał Górny wrote:
> On Thu, 2019-01-31 at 12:33 -0500, Rich Freeman wrote:
>> On Thu, Jan 31, 2019 at 8:56 AM Michał Górny <mgorny@gentoo.org> wrote:
>>>
>>> 1. It is entirely customary and therefore requires customized software
>>>    to use.  In other words, it's of limited usefulness to people outside
>>>    Gentoo or does not work out of the box there.
>>
>> This part could be addressed easily by having Gentoo create a signing
>> key, and automatically signing all dev keys based on LDAP using it.
>> Then users can trust that one key and inherit trust for the rest.
>>
>> Users have to opt into the trust model by trusting somebody's key no
>> matter what.  No reason that couldn't be a centrally-managed one.
>>
>> I'll also agree with the comment that physically interacting with
>> people is not all that easy.  There are many areas of the world where
>> FOSS developers are relatively uncommon, let alone Gentoo ones.
>> Unless those alternate organizations have VERY broad coverage (such as
>> an alternative of a notary recognized by any country or something like
>> that) you're still going to have issues.
>>
>>> Verify the person's real name (at least for the user identifier
>>>      used for copyright purposes).  This is usually done through
>>>      verifying an identification document with photograph.  It is
>>>      a good idea to ask for the document type earlier, and read on
>>>      forgery protections used.
>>
>> "usually"?  "identification document"?  Does this mean that an
>> appropriate method of verification is entirely up to individual
>> discretion?  If so that makes the process of getting every key signed
>> fairly trivial as long as two people have (in?)appropriately-rigorous
>> standards...
>>
> 
> I'm sorry, I keep forgetting that you can't rely on people in Gentoo
> being mature and you need to specify everything as 'MUST' and 'MUST
> NOT', or otherwise they are going to ignore the spirit of the policy
> and violate in the worst way permitted by bending the wording.
> 
You started this thread with what distinctly appeared to be a plea to
avoid ad hominem attacks, just to turn around make make them yourself.
Do, kindly, stop it.

next prev parent reply	other threads:[~2019-02-02  5:55 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-31 13:56 [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust Michał Górny
2019-01-31 14:21 ` Brian Evans
2019-01-31 15:33   ` Matthew Thode
2019-02-01  2:48   ` Sam Jorna (wraeth)
2019-02-01  6:57   ` Michał Górny
2019-02-01 14:43     ` Brian Evans
2019-02-02  6:00     ` desultory
2019-01-31 15:32 ` Matthew Thode
2019-02-01 12:47   ` Andreas K. Huettel
2019-02-01 14:17     ` Cynede
2019-02-01 14:32       ` Rich Freeman
2019-02-01 14:53         ` Kristian Fiskerstrand
2019-02-01 17:27           ` Kristian Fiskerstrand
2019-02-01 20:46             ` Rich Freeman
2019-02-02  6:02     ` desultory
2019-02-01 14:20   ` Michał Górny
2019-01-31 16:33 ` Kristian Fiskerstrand
2019-01-31 16:35 ` Alec Warner
2019-01-31 20:29   ` Kristian Fiskerstrand
2019-01-31 21:40     ` Alec Warner
2019-01-31 22:00       ` Kristian Fiskerstrand
2019-01-31 22:49       ` Michael Orlitzky
2019-02-01  0:09         ` Rich Freeman
2019-02-01  0:47           ` Kristian Fiskerstrand
2019-01-31 17:33 ` Rich Freeman
2019-02-01 12:51   ` Andreas K. Huettel
2019-02-01 13:25   ` Michał Górny
2019-02-02  5:55     ` desultory [this message]
2019-02-02 13:47       ` Rich Freeman
2019-01-31 19:25 ` Kristian Fiskerstrand
2019-02-01  0:41 ` Chris Reffett
2019-02-01  0:42   ` Kristian Fiskerstrand
2019-02-01  0:55     ` Chris Reffett
2019-02-01  1:56       ` Rich Freeman
2019-02-01 12:52         ` Andreas K. Huettel
2019-02-02  5:54 ` desultory

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c94b722f-cc71-1862-889e-1c89a9ff8900@gentoo.org \
    --to=desultory@gentoo.org \
    --cc=gentoo-project@lists.gentoo.org \
    --cc=mgorny@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox