On Fri, Mar 25, 2011 at 3:50 PM, Andreas K. Huettel wrote: >> > * The key must have an userid that refers to an official Gentoo e-mail >> > address. E.g. dilfri...@gentoo.org >> >> no. there's no reason for this requirement, and it prevents proxy >> maintenance long term. e-mail addresses do not verify identity, >> verifying identify verifies identity. this is the point of the web of >> trust. > > So what sort of identity do you want to verify? Seriously, at the moment when > I got my commit bit, noone from Gentoo had ever met me in person, and for > sure noone had ever had a look at my passport or any similar legal document. > The only established connection was my preexisting gpg key, which was then > coupled to my gentoo account.
and no where do we require you to generate a gpg key bound to the Gentoo e-mail address. we require you to provide a gpg key only. like you said *right here*, we have 0 information to identify you, and using a Gentoo e-mail address adds *nothing* to that. so why add a completely useless requirement ? > As for proxy maintenance, isn't the whole point of that that the proxied > maintainers are not devs and do not have (commit access | a gentoo.org user > id)? I do not understand how this would prevent proxy maintenance. uhh, you already pointed out how -- git. if i pull updates from a proxy maintainer, it's going to have his signing. -mike
