GPG key really needed?

Sat Jan 14 08:47:08 UTC 2006

Josh Boyer wrote:
> On Fri, 2006-01-13 at 21:53 -0600, Patrick Barnes wrote:
> > Josh Boyer wrote:
> > > Ok, so I'm trying to figure out what good uploading a GPG key into the
> > > accounts system is.  Here's how I see it:
> > >
> > > 1.  The only thing it's used for is potentially signing the CLA.  I say
> > > potentially because both
> > >
> > > http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem/RequestCLA
> > >
> > > and
> > >
> > > http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem
> > >
> > > say "You can sign the CLA".  If it's required, we should change it to
> > > "must sign the CLA".
> > >   
> > They read "can" and not "must" due to the option of using a written
> > signature and postal courier.  CLAs may also not be necessary in all cases.
>
> Could we change them to say "If you submit the CLA via email, you must
> sign it with your GPG key" or something similar then?
>   
I'll add such a correction to my to-do list.  Good suggestion.  :-)
> > > So...  is it really needed?  Or maybe a better question is can we make
> > > it more useful somehow?
> > >   
> > Part of it is availability.  It is likely that more use of GPG keys will
> > be made in the future.  It is also important that when the time comes
> > that your GPG key is needed, we can verify that it is the same key as
> > you have provided to the account system.  It is also possible to verify
>
> But in the meantime, folks that don't use GPG keys for any other reason
> are probably forgetting passwords for them, deleting them on accident,
> etc.  In the future is fine, but could you elaborate on what the future
> use may be?
>   
Use your imagination.  ;-)

An important principle in the use of GPG keys is reputation.  People
need to handle their keys and passcodes responsibly, so that they can
consistently use the same keys and establish a reputation behind those
keys.  The use of keys in the Account System is an important part of
establishing that reputation with the Fedora Project.
> > the GPG key ID for any particular user in the Account System, which the
> > paranoid or thorough are free to do.  Anyone can check what GPG key ID
> > another user has registered in the Account System, but you are correct
> > in that there is no single list.  You must specify the single account
>
> Such a list wouldn't be hard to generate though, would it?
>   
I'm sure it would be relatively simple to add this capability to the
Account System.  Without an immediate need, it is hard to put pressure
on someone to make it happen, though.  The Infrastructure team is
expecting a little better access to the Account System code, at which
point someone might start hacking in some additional new features.
> > you wish to check.  Really, all contributions that are provided through
> > an insecure means *should* be GPG-signed, though this is not enforced.
>
> Can you elaborate on what contributions you're talking about?  Email,
> maybe.  Though I doubt signing everything is all that important.
> Anything else you're thinking of?
>   
Any contribution sent by any insecure means.  This could include, but is
not limited to, packages, patches, documents/presentations, or scripts
sent through email, posted on the wiki, published to other websites,
etc.  Any method which does not allow verification of the origin should
be supported with GPG signatures.  This isn't even a documented
practice, but it probably should be.
> josh
>
>   


-- 
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://www.n-man.com/
-- 
Have I been helpful?  Rate my assistance!  http://rate.affero.net/nman64/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20060114/10f9e828/attachment.sig>