Hi all, As it was brought up in the past few releases our web of trust [1] is not very strong.
We're many members in the PMC, and many more in the broader community, but very few have signed each other's PGP keys. In most of the cases when I verify a release I will get a fair warning that the key used to sign the release is not trusted. This may be OK for non-regular contributors testing a release candidate but it shouldn't be the norm for those with binding votes. I think we should take action and hold a key signing party where at least the active members in the PMC sign each other's keys. If others find this subject important we can start directly discussing a date convenient for the majority. Going one step further, I would propose to make key signing, part of the procedure of inviting someone to join the project as committer/PMC. The one who sends the invitation can also sign the key of the new member, directly expanding the web of trust for the whole PMC. Let me know your thoughts. Best, Stamatis [1] https://en.wikipedia.org/wiki/Web_of_trust
