From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A11D8138334 for ; Sat, 2 Feb 2019 05:55:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B2829E0978; Sat, 2 Feb 2019 05:55:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7E541E096A for ; Sat, 2 Feb 2019 05:55:53 +0000 (UTC) Received: from [172.16.0.17] (cpe-72-227-68-175.maine.res.rr.com [72.227.68.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: desultory) by smtp.gentoo.org (Postfix) with ESMTPSA id 6978C335D87; Sat, 2 Feb 2019 05:55:52 +0000 (UTC) Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust To: gentoo-project@lists.gentoo.org, =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= References: <1548943008.796.1.camel@gentoo.org> <1549027511.722.0.camel@gentoo.org> From: desultory Message-ID: Date: Sat, 2 Feb 2019 00:55:28 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <1549027511.722.0.camel@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: 8b4ed2b3-31a1-4a99-97e4-1a93524993c6 X-Archives-Hash: 20bcb54bb52c1cb86251e53379949ea1 On 02/01/19 08:25, Michał Górny wrote: > On Thu, 2019-01-31 at 12:33 -0500, Rich Freeman wrote: >> On Thu, Jan 31, 2019 at 8:56 AM Michał Górny wrote: >>> >>> 1. It is entirely customary and therefore requires customized software >>> to use. In other words, it's of limited usefulness to people outside >>> Gentoo or does not work out of the box there. >> >> This part could be addressed easily by having Gentoo create a signing >> key, and automatically signing all dev keys based on LDAP using it. >> Then users can trust that one key and inherit trust for the rest. >> >> Users have to opt into the trust model by trusting somebody's key no >> matter what. No reason that couldn't be a centrally-managed one. >> >> I'll also agree with the comment that physically interacting with >> people is not all that easy. There are many areas of the world where >> FOSS developers are relatively uncommon, let alone Gentoo ones. >> Unless those alternate organizations have VERY broad coverage (such as >> an alternative of a notary recognized by any country or something like >> that) you're still going to have issues. >> >>> Verify the person's real name (at least for the user identifier >>> used for copyright purposes). This is usually done through >>> verifying an identification document with photograph. It is >>> a good idea to ask for the document type earlier, and read on >>> forgery protections used. >> >> "usually"? "identification document"? Does this mean that an >> appropriate method of verification is entirely up to individual >> discretion? If so that makes the process of getting every key signed >> fairly trivial as long as two people have (in?)appropriately-rigorous >> standards... >> > > I'm sorry, I keep forgetting that you can't rely on people in Gentoo > being mature and you need to specify everything as 'MUST' and 'MUST > NOT', or otherwise they are going to ignore the spirit of the policy > and violate in the worst way permitted by bending the wording. > You started this thread with what distinctly appeared to be a plea to avoid ad hominem attacks, just to turn around make make them yourself. Do, kindly, stop it.