Hi Stamatis,
Thanks for bringing this up. I think this is a good idea. I am in UTC+11
and will be in UTC+10 starting this Sunday.
Regarding the warning from GPG, I think GPG does not trust the keys you
add to its database by default. In order to get GPG to trust it, I think
we need to sign all the keys in the database ourselves, so that it
becomes trusted.
In any case, I think expanding the web of trust is still quite important
and having more people sign each other's keys is a good thing. The main
challenge is probably people being in vastly different timezones /
geographies, but hopefully we can sort something out.
Francis
On 28/03/2022 8:33 am, Stamatis Zampetakis wrote:
Hi all,
As it was brought up in the past few releases our web of trust [1] is not
very strong.
We're many members in the PMC, and many more in the broader community, but
very few have signed each other's PGP keys.
In most of the cases when I verify a release I will get a fair warning that
the key used to sign the release is not trusted. This may be OK for
non-regular contributors testing a release candidate but it shouldn't be
the norm for those with binding votes.
I think we should take action and hold a key signing party where at least
the active members in the PMC sign each other's keys. If others find this
subject important we can start directly discussing a date convenient for
the majority.
Going one step further, I would propose to make key signing, part of the
procedure of inviting someone to join the project as committer/PMC. The one
who sends the invitation can also sign the key of the new member, directly
expanding the web of trust for the whole PMC.
Let me know your thoughts.
Best,
Stamatis
[1] https://en.wikipedia.org/wiki/Web_of_trust
