Hi all,
As it was brought up in the past few releases our web of trust [1] is not
very strong.
We're many members in the PMC, and many more in the broader community, but
very few have signed each other's PGP keys.
In most of the cases when I verify a release I will get a fair warning that
the ke
Hi Stamatis,
Thanks for bringing this up. I think this is a good idea. I am in UTC+11
and will be in UTC+10 starting this Sunday.
Regarding the warning from GPG, I think GPG does not trust the keys you
add to its database by default. In order to get GPG to trust it, I think
we need to sign a
Hi Francis,
Yes you are right. To remove the warning the release signing key needs to
be either signed directly by myself or transitively through the notion of
trust [1].
I am hoping that signing each other's keys will also make the warning
disappear along with the other benefits.
I am in UTC+2 b
Hello,
thanks Stamatis for starting this discussion. I agree with your proposals.
I'm in UTC+1 right now (UTC in winter).
Best,
Ruben
On Mon, Mar 28, 2022 at 9:22 AM Stamatis Zampetakis
wrote:
> Hi Francis,
>
> Yes you are right. To remove the warning the release signing key needs to
> be ei
