Hello, thanks Stamatis for starting this discussion. I agree with your proposals.
I'm in UTC+1 right now (UTC in winter). Best, Ruben On Mon, Mar 28, 2022 at 9:22 AM Stamatis Zampetakis <zabe...@gmail.com> wrote: > Hi Francis, > > Yes you are right. To remove the warning the release signing key needs to > be either signed directly by myself or transitively through the notion of > trust [1]. > I am hoping that signing each other's keys will also make the warning > disappear along with the other benefits. > > I am in UTC+2 but I am willing to join in non-conventional hours if we > cannot find a reasonable slot that works. > We can also set up two or more slots with some people joining multiple if > possible. > > Best, > Stamatis > > [1] https://www.gnupg.org/gph/en/manual/x334.html > > On Mon, Mar 28, 2022 at 12:43 AM Francis Chuang <francischu...@apache.org> > wrote: > > > Hi Stamatis, > > > > Thanks for bringing this up. I think this is a good idea. I am in UTC+11 > > and will be in UTC+10 starting this Sunday. > > > > Regarding the warning from GPG, I think GPG does not trust the keys you > > add to its database by default. In order to get GPG to trust it, I think > > we need to sign all the keys in the database ourselves, so that it > > becomes trusted. > > > > In any case, I think expanding the web of trust is still quite important > > and having more people sign each other's keys is a good thing. The main > > challenge is probably people being in vastly different timezones / > > geographies, but hopefully we can sort something out. > > > > Francis > > > > On 28/03/2022 8:33 am, Stamatis Zampetakis wrote: > > > Hi all, > > > > > > As it was brought up in the past few releases our web of trust [1] is > not > > > very strong. > > > > > > We're many members in the PMC, and many more in the broader community, > > but > > > very few have signed each other's PGP keys. > > > > > > In most of the cases when I verify a release I will get a fair warning > > that > > > the key used to sign the release is not trusted. This may be OK for > > > non-regular contributors testing a release candidate but it shouldn't > be > > > the norm for those with binding votes. > > > > > > I think we should take action and hold a key signing party where at > least > > > the active members in the PMC sign each other's keys. If others find > this > > > subject important we can start directly discussing a date convenient > for > > > the majority. > > > > > > Going one step further, I would propose to make key signing, part of > the > > > procedure of inviting someone to join the project as committer/PMC. The > > one > > > who sends the invitation can also sign the key of the new member, > > directly > > > expanding the web of trust for the whole PMC. > > > > > > Let me know your thoughts. > > > > > > Best, > > > Stamatis > > > > > > [1] https://en.wikipedia.org/wiki/Web_of_trust > > > > > >