It had to be done, given this thread's epic proportions... ;) [image: Identity]
http://xkcd.com/1121/ On Fri, Oct 5, 2012 at 1:04 PM, Benson Margulies <[email protected]>wrote: > I'm offering this discussion here, but it might need to go elsewhere > if it goes anywhere at all. > > It seems to me that the there is a gap in the incubation process, and > I don't know how to fill it. > > As far as I can see, we don't do anything to facilitate or encourage > getting PGP keys signed. We tell people to create a key and put it in > the SVN 'keys' file. > > Key signing strikes me as a bit of a conundrum for us. In all other > respects, we emphasize that anyone, anywhere, in any time zone, can be > a full member of a community. However, key signing requires something > else. [1] Generally, it requires a face-to-face interaction. > > It is perhaps interesting to note that the foundation accepts CLAs as > legally binding without any face-to-face identity verification. If you > send in a CLA with a signature, we believe it, and we believe that the > email address you provide is, in fact, controlled by the legal person > who signed the form. > > I wonder, then, if secretary@ should be willing to sign a key. > Alternatively, since the chain is CLA -> svn access -> unsigned key in > svn, perhaps all we really need is to document that a signature > corresponding to a key in svn is really good enough, and users need > not be concerned further. > > > > [1]: http://httpd.apache.org/dev/verification.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- NS
