GPG key really needed?

Josh Boyer jwboyer at jdub.homelinux.org
Sat Jan 14 04:26:57 UTC 2006 

On Fri, 2006-01-13 at 21:53 -0600, Patrick Barnes wrote:
> Josh Boyer wrote:
> > Ok, so I'm trying to figure out what good uploading a GPG key into the
> > accounts system is.  Here's how I see it:
> >
> > 1.  The only thing it's used for is potentially signing the CLA.  I say
> > potentially because both
> >
> > http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem/RequestCLA
> >
> > and
> >
> > http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem
> >
> > say "You can sign the CLA".  If it's required, we should change it to
> > "must sign the CLA".
> >   
> They read "can" and not "must" due to the option of using a written
> signature and postal courier.  CLAs may also not be necessary in all cases.

Could we change them to say "If you submit the CLA via email, you must
sign it with your GPG key" or something similar then?

> > So...  is it really needed?  Or maybe a better question is can we make
> > it more useful somehow?
> >   
> Part of it is availability.  It is likely that more use of GPG keys will
> be made in the future.  It is also important that when the time comes
> that your GPG key is needed, we can verify that it is the same key as
> you have provided to the account system.  It is also possible to verify

But in the meantime, folks that don't use GPG keys for any other reason
are probably forgetting passwords for them, deleting them on accident,
etc.  In the future is fine, but could you elaborate on what the future
use may be?

> the GPG key ID for any particular user in the Account System, which the
> paranoid or thorough are free to do.  Anyone can check what GPG key ID
> another user has registered in the Account System, but you are correct
> in that there is no single list.  You must specify the single account

Such a list wouldn't be hard to generate though, would it?

> you wish to check.  Really, all contributions that are provided through
> an insecure means *should* be GPG-signed, though this is not enforced.

Can you elaborate on what contributions you're talking about?  Email,
maybe.  Though I doubt signing everything is all that important.
Anything else you're thinking of?

josh

More information about the fedora-extras-list mailing list