Jakub Wilk dijo [Thu, Jun 23, 2016 at 07:30:42PM +0200]: > * Nikolaus Rath <nikol...@rath.org>, 2016-06-23, 09:23: > >I am wondering if the extra burden is worth the gain in security. If > >everyone were to follow this procedure then the bar to becoming a Debian > >developer would be raised significantly. > > As as data point, if everybody[0]'s key signing policy had been that > establishing "social bonds" was a prerequisite, I would have almost > certainly never become a DD. > > [0] And by "everybody" I mean that one developer that happened to live in > the same big city as me.
Of course, the same can be said for me. My first signature was by Bdale, when he was invited to give a talk in Mexico (and I jumped to find him), and my next three were by three DDs living at the time in Munich, where I went to for a conference. We had no previous knowledge of each other. I have at times advocated to DAM for accepting a DD with no signatures on his key when it was clear they were unable to get any; I have (and will) sign many keys without clearly meeting the criteria I delineated, but always on a one-on-one basis (and never again on a mass KSP). I will not formally specify my signing policy as some do¹, asI use this criteria just as a *criteria*, not as a hard guideline. And I don't expect you or any of the participants on this thread to apply the exact same criteria I do, much less with the same exceptions I make. I just insist on showing my stand on this... And *try* to be coherent with what I believe to be a right usage, without being at the same time a PITA. -- ¹ From the people that have signed my key: http://martin-krafft.net/gpg/cert-policy/55c9882d999bbcc4/200907121833?sha512sum=f33b17c9af515bd98b2927cb453a992d3d7500e9f671966616e90510b9940895108d241648d1a0eb46b32bcbf3251a136a6ee1e2275745e11bb328c14e7e7263 http://www.golden-gryphon.com/download/policy.20090821.txt?version=1.0&sha256sum=03b987f1eefa098c350929157e9c6ef5d234970c406e748935e65c0efcceaebb
signature.asc
Description: Digital signature