GPG key really needed?
Josh Boyer
jwboyer at jdub.homelinux.org
Sat Jan 14 03:18:59 UTC 2006
Ok, so I'm trying to figure out what good uploading a GPG key into the
accounts system is. Here's how I see it:
1. The only thing it's used for is potentially signing the CLA. I say
potentially because both
http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem/RequestCLA
and
http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem
say "You can sign the CLA". If it's required, we should change it to
"must sign the CLA".
2. Even if 1) is done, we don't use GPG keys for anything else. We
don't sign packages with them.
Using them to sign emails is fine, but it's not required. And there is
no listing of contributors and their GPG keys so finding a users GPG key
has to be done via searches on key servers anyway.
So... is it really needed? Or maybe a better question is can we make
it more useful somehow?
josh
More information about the fedora-extras-list
mailing list