On 22 February 2016 at 13:00, Ralf Senderek <fed...@senderek.ie> wrote: > >> The Fedora team could get a profile and verify the key(s) through >> github, the Fedora and Red Hat web sites, the Fedora magazine twitter >> account, and by having the Fedora team all sign publicly. > > Every little helps. The important step would be if the Fedora devs state the > fingerprints in a visible way that risks their good reputation if the > information > turned out to be incorrect. These statements would then be the foundation of > trust in what the Fedora 24 key signs. >
OK and how many people check to see what another person's reputation is? And how many people have had gotten bad reputations from signing bad things? It all sounds great on paper, but without actual methods and regular checks.. it is as useless as a keysigning party where no one does a full check of the passport and driver's license with the issueing authority. [We all do the $200.00 background check on everyone we sign don't we?] >> Combined with having the key on getfedora.org, it at least provides a >> measure of protection against our site being compromised. It also has >> the benefit of, if someone knows of any Fedora devs on Twitter or >> another service, they can follow the web of social-service trust. This >> isn't as good as if they had a direct path to the Fedora WoT through >> normal signatures, but it's much more likely to actually occur. > > Yes all of this, please. > -- > devel mailing list > devel@lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org -- Stephen J Smoogen. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
