Hello, we have people approaching Debian with a lack of GPG signatures, and we generally cannot ask them to travel and meet other developers in person to get their key signed. Technically, we are not requiring that people meet a DD in person, only that people have their key signed by a DD. Technically, every DD has their own policies for signing keys, which could go from not requiring meeting in person at all, to requiring to meet in person multiple times. It might require to check a government issued photo ID, or it might not. Practically, I feel like most of the time people's policies match what are the perceived expectations of the rest of the project. Meeting in person has always been a good safe bet, if only for the reson that it's been accepted without question for many years. It's time to review those expectations. For example, speaking of myself only, if my goal is to raise the cost of impersonation or sock puppet identities, then probably signing someone's key after having worked with them online for a significant time, would require a much higher cost than showing up at a keysigning party with a fake ID good enough to fool me. Others may have other policies, and are likely to be acceptable. As DAM, I would have a problem if someone automatically signed the keys of every stanger who asked them nicely in an email. At the same time, I am open to the idea of policies that do not require meeting people in person. I think the world has changed enough in the last months that currently perceived project expectations about key signing are getting out of alignment with practical realities, and it might be time to explore other options. I do not intend to ask people to break their sensible signing policies so that people can get into Debian. I'm interested instead in exploring what signing policies people may have, or may be considering, that have been staying out of our narrative because we've always been having a specific standard one that worked. What do you think could be alternative key signing policies, that would be acceptable to you, that would not require traveling and meeting face to face? Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature