> > So what sort of identity do you want to verify? Seriously, at the moment > > when I got my commit bit, noone from Gentoo had ever met me in person, and > > for sure noone had ever had a look at my passport or any similar legal > > document. The only established connection was my preexisting gpg key, which > > was then coupled to my gentoo account. > > and no where do we require you to generate a gpg key bound to the > Gentoo e-mail address. we require you to provide a gpg key only. > like you said *right here*, we have 0 information to identify you, and > using a Gentoo e-mail address adds *nothing* to that. so why add a > completely useless requirement ?
Because, pointing out the obvious, the key can contain all sorts of random true or false information. I could have an user id saying "Barack Obama <presid...@whitehouse.gov>". To be able to do key validation based on gpg's mechanisms, an userid needs to be signed. As e.g. Scarabeus and Wired can confirm, I'm definitely not Barack Obama, but for less obvious cases the validity of the provided identity may be unclear. Now, if I add an userid "<dilfri...@gentoo.org>" to my key, this userid does not contain any information that is not already verified and "in the Gentoo infra data". So, this one userid could be signed immediately by a central instance without any further fuss. It's imho not a hard requirement, but it considerably eases administration. So why not require it for devs? > > As for proxy maintenance, isn't the whole point of that that the proxied > > maintainers are not devs and do not have (commit access | a gentoo.org user > > id)? I do not understand how this would prevent proxy maintenance. > > uhh, you already pointed out how -- git. if i pull updates from a > proxy maintainer, it's going to have his signing. Point taken... -- Andreas K. Huettel Gentoo Linux developer - kde, sci, arm, tex dilfri...@gentoo.org http://www.akhuettel.de/
signature.asc
Description: This is a digitally signed message part.
