Enrico Zini wrote: > we have people approaching Debian with a lack of GPG signatures, and we > generally cannot ask them to travel and meet other developers in person > to get their key signed.
It's worthwhile stating the actual problem that is trying to be solved here. I believe that is: "Given difficulties with keysigning in the modern environment, what does the project believe is the appropriate verification of identification before we allow someone access to our systems, the ability to upload packages and/or the ability to vote within the project". For a long time our default approach has been that a sufficiently signed PGP key is our bar, with occasional exceptions when alternative verification has been performed (I know in the past DAM has phoned applicants when it has been impossible for them to obtain signatures). Key signing has been creaking for a while, and I'm conscious even before COVID-19 it was a bar that made things difficult for some applicants. Equally DAM phoning everyone does not scale (and I'm not even sure how it adds a significant extra level of assurance). I worry that by framing this discussion in terms of "what would be an acceptable weakening of our keysigning requirements" we are losing the benefit we gain from keysigning, and avoiding the actual problem we want to solve. J. -- ] https://www.earth.li/~noodles/ [] If a program is useless, it must [ ] PGP/GPG Key @ the.earth.li [] be documented. [ ] via keyserver, web or email. [] [ ] RSA: 4096/0x94FA372B2DA8B985 [] [
signature.asc
Description: PGP signature
