Hi Francis, Yes you are right. To remove the warning the release signing key needs to be either signed directly by myself or transitively through the notion of trust [1]. I am hoping that signing each other's keys will also make the warning disappear along with the other benefits.
I am in UTC+2 but I am willing to join in non-conventional hours if we cannot find a reasonable slot that works. We can also set up two or more slots with some people joining multiple if possible. Best, Stamatis [1] https://www.gnupg.org/gph/en/manual/x334.html On Mon, Mar 28, 2022 at 12:43 AM Francis Chuang <[email protected]> wrote: > Hi Stamatis, > > Thanks for bringing this up. I think this is a good idea. I am in UTC+11 > and will be in UTC+10 starting this Sunday. > > Regarding the warning from GPG, I think GPG does not trust the keys you > add to its database by default. In order to get GPG to trust it, I think > we need to sign all the keys in the database ourselves, so that it > becomes trusted. > > In any case, I think expanding the web of trust is still quite important > and having more people sign each other's keys is a good thing. The main > challenge is probably people being in vastly different timezones / > geographies, but hopefully we can sort something out. > > Francis > > On 28/03/2022 8:33 am, Stamatis Zampetakis wrote: > > Hi all, > > > > As it was brought up in the past few releases our web of trust [1] is not > > very strong. > > > > We're many members in the PMC, and many more in the broader community, > but > > very few have signed each other's PGP keys. > > > > In most of the cases when I verify a release I will get a fair warning > that > > the key used to sign the release is not trusted. This may be OK for > > non-regular contributors testing a release candidate but it shouldn't be > > the norm for those with binding votes. > > > > I think we should take action and hold a key signing party where at least > > the active members in the PMC sign each other's keys. If others find this > > subject important we can start directly discussing a date convenient for > > the majority. > > > > Going one step further, I would propose to make key signing, part of the > > procedure of inviting someone to join the project as committer/PMC. The > one > > who sends the invitation can also sign the key of the new member, > directly > > expanding the web of trust for the whole PMC. > > > > Let me know your thoughts. > > > > Best, > > Stamatis > > > > [1] https://en.wikipedia.org/wiki/Web_of_trust > > >
