[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning in times of COVID-19

Enrico Zini wrote:

> we have people approaching Debian with a lack of GPG signatures, and we
> generally cannot ask them to travel and meet other developers in person
> to get their key signed.

It's worthwhile stating the actual problem that is trying to be solved

I believe that is: "Given difficulties with keysigning in the modern
environment, what does the project believe is the appropriate
verification of identification before we allow someone access to our
systems, the ability to upload packages and/or the ability to vote
within the project".

For a long time our default approach has been that a sufficiently signed
PGP key is our bar, with occasional exceptions when alternative
verification has been performed (I know in the past DAM has phoned
applicants when it has been impossible for them to obtain signatures).

Key signing has been creaking for a while, and I'm conscious even before
COVID-19 it was a bar that made things difficult for some applicants.
Equally DAM phoning everyone does not scale (and I'm not even sure how
it adds a significant extra level of assurance).

I worry that by framing this discussion in terms of "what would be an
acceptable weakening of our keysigning requirements" we are losing the
benefit we gain from keysigning, and avoiding the actual problem we want
to solve.


] https://www.earth.li/~noodles/ []  If a program is useless, it must  [
]  PGP/GPG Key @ the.earth.li    []           be documented.           [
] via keyserver, web or email.   []                                    [
] RSA: 4096/0x94FA372B2DA8B985   []                                    [

Attachment: signature.asc
Description: PGP signature

Reply to: