[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning in times of COVID-19

On 2020-08-06 11:54 a.m., Enrico Zini wrote:
> What do you think could be alternative key signing policies, that would
> be acceptable to you, that would not require traveling and meeting face
> to face?

Hello Enrico :)

Thank you for bringing this up.

On 2020-08-06 1:26 p.m., Johannes Schauer wrote:
> So in my opinion (and please correct my assumptions if they are
> wrong), an acceptable key signing policy would also be one, where a
> prospective DM has shown over several months to produce work that is
> always signed with the same key and maybe even communicated (for
> example via email, maybe even encrypted) using that GPG key.

This makes sense.

Whoever advocated for me to become a DD advocated for the person that
was signing patches with E301 54F5 429F FBB9 B22E 49C2 DA82 830E 3CCC
3A3A. They had never met me. It didn't matter. My key was added to the
keyring because whoever was signing emails and uploaded with that key
seemed to care enough about Debian and seemed to produce work that is
good enough to be let in the archive.

There were also DD signatures on my key at the time, but none of them
had worked with me. They only loosely verified that the awkward guy at
the coffee shop received or intercepted emails sent at

I have recently advocated for somebody to become DM. I have some
indirect connection with him in the real world, but I have never met him
in person. Having his key signed is blocking his NM DM process.

I am sure that I "know" this guy. He signs all of his messages with the
same PGP key. He signs all of his patches with the same PGP key. He
cares about Debian. He asks good questions. If we meet at DebConf, I'll
be able to tell that its him. I'll point him to you guys so that you
know who he is.

We will organize a video call, just to meet outside of emails, but I
won't verify his ID, and I will sign his key so that we can move forward.

Feel free to attribute whatever value that you want to that signature. I
think that given my history with that person it holds much more values
than the 2-minutes KSP ones.


Alexandre Viau

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: