Le jeudi 06 août 2020 à 17:54:21+0200, Enrico Zini a écrit : > Hello, > > we have people approaching Debian with a lack of GPG signatures, and we > generally cannot ask them to travel and meet other developers in person > to get their key signed. > > Technically, we are not requiring that people meet a DD in person, only > that people have their key signed by a DD. > > Technically, every DD has their own policies for signing keys, which > could go from not requiring meeting in person at all, to requiring to > meet in person multiple times. It might require to check a government > issued photo ID, or it might not. > > Practically, I feel like most of the time people's policies match what > are the perceived expectations of the rest of the project. Meeting in > person has always been a good safe bet, if only for the reson that it's > been accepted without question for many years. > > It's time to review those expectations. > > For example, speaking of myself only, if my goal is to raise the cost of > impersonation or sock puppet identities, then probably signing someone's > key after having worked with them online for a significant time, would > require a much higher cost than showing up at a keysigning party with a > fake ID good enough to fool me. > > Others may have other policies, and are likely to be acceptable. > > As DAM, I would have a problem if someone automatically signed the keys > of every stanger who asked them nicely in an email. At the same time, I > am open to the idea of policies that do not require meeting people in > person. > > I think the world has changed enough in the last months that currently > perceived project expectations about key signing are getting out of > alignment with practical realities, and it might be time to explore > other options. > > I do not intend to ask people to break their sensible signing policies > so that people can get into Debian. I'm interested instead in exploring > what signing policies people may have, or may be considering, that have > been staying out of our narrative because we've always been having a > specific standard one that worked. > > What do you think could be alternative key signing policies, that would > be acceptable to you, that would not require traveling and meeting face > to face? IMHO, the issue with lowering keysigning policy is that these signatures will be as valid as any other for later DD application, while we probably don't want to lower our expectations for other status applications than DM. I'd rather try to solve the issue in a more sensible way : lower the number of expected GPG signatures to 0 temporarily, and ask for two or three advocacies from DDs. We'd lose a bit of ID verification security for the DM status, but we could regain this security when the DM applies to become a DD, as they'd have to reach out to other developers and get their key signed. This wouldn't solve the broader issue that can arise when one lives in a place with no close DD and wants to become a DD themselves. But it'd be a start. -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them.
Description: PGP signature