[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Endorsing Gunnar Hjalmarsson's key F235A25E8A2A9718D7D8BDA36C79687A51F6608C

Gunnar Hjalmarsson dijo [Sun, Jan 10, 2021 at 01:10:34AM +0100]:
> > > > I have known Gunnar for years under the key
> > > > 
> > > >   0CFE 997B 7245 80A7 FA72  F8CF F0B1 10E7 5A69 2F32
> > > 
> > > I'm afraid Gunnar didn't take the habit of signing his mail and side
> > > work, only his uploads of packages on Ubuntu repos. We'll have to
> > > see if Keyring Maintainers would be okay with you endorsing his new
> > > key relying on signed work he did in unbutu with his older one.
> > > 
> > > Not sure of their answer.
> > 
> > In general I'm not a fan of key changes as part of AM processes; it is
> > much better to continue with an established key if there is no pressing
> > reason to change. A well known 2048R key trumps a new 4096R with no
> > cross signatures.
> Thanks for that clarification, Jonathan! I created the new key solely
> because I thought it would strengthen my case with respect to endorsing. And
> now you say that the opposite is true.
> Needless to say I can switch back to my old key and attach that one to my
> application instead. If that's what you recommend, can you please confirm
> and I'll accomplish the switch.

Yes, I also suggest you go back and complete the process with your
present key. Parallelly, build trust on your 4096R key (or a EC one,
or whatnot). And when your new key has been around and carrries enough
recognition, request the update, we (keyring-maint) will be happy to
do it.

Please understand key endoresements are a very new and not fully
proven and understood method to cope with a series of changes both in
the technical and the social infrastructure we live with. We have yet
to learn how to properly juggle with them.

> @Pierre-Elliott: That sounds as a 'door opener' to me and it would eliminate
> at least one of the reasons for your doubts, wouldn't it?

I certainly hope so!

Attachment: signature.asc
Description: PGP signature

Reply to: