GPG key really needed?

Patrick Barnes nman64 at n-man.com
Sat Jan 14 03:53:13 UTC 2006 

Josh Boyer wrote:
> Ok, so I'm trying to figure out what good uploading a GPG key into the
> accounts system is.  Here's how I see it:
>
> 1.  The only thing it's used for is potentially signing the CLA.  I say
> potentially because both
>
> http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem/RequestCLA
>
> and
>
> http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem
>
> say "You can sign the CLA".  If it's required, we should change it to
> "must sign the CLA".
>   
They read "can" and not "must" due to the option of using a written
signature and postal courier.  CLAs may also not be necessary in all cases.
> 2.  Even if 1) is done, we don't use GPG keys for anything else.  We
> don't sign packages with them.
>
> Using them to sign emails is fine, but it's not required.  And there is
> no listing of contributors and their GPG keys so finding a users GPG key
> has to be done via searches on key servers anyway.
>
> So...  is it really needed?  Or maybe a better question is can we make
> it more useful somehow?
>
> josh
>
>   
Part of it is availability.  It is likely that more use of GPG keys will
be made in the future.  It is also important that when the time comes
that your GPG key is needed, we can verify that it is the same key as
you have provided to the account system.  It is also possible to verify
the GPG key ID for any particular user in the Account System, which the
paranoid or thorough are free to do.  Anyone can check what GPG key ID
another user has registered in the Account System, but you are correct
in that there is no single list.  You must specify the single account
you wish to check.  Really, all contributions that are provided through
an insecure means *should* be GPG-signed, though this is not enforced.

-- 
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://www.n-man.com/
-- 
Have I been helpful?  Rate my assistance!  http://rate.affero.net/nman64/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20060113/40102fee/attachment.sig>

More information about the fedora-extras-list mailing list