On Wed, 2005-01-19 at 03:54 +0100, Andrej Kacian wrote: > On Tue, 18 Jan 2005 18:51:53 -0500 > Chris Gianelloni <[EMAIL PROTECTED]> wrote: > > > > Another question: Why are keys from new developer are no signed? A minimun > > > of one another dev must have trust him, or not? :-) > > > > Trust him? Yes. Met him and able to prove that he is who he says that > > he is? No. > > Well, I for one am really curious about how will this "web of trust" issue be > solved. Some devs simply can't afford to go to the events where devs usually > meet, be it time constraints, or simply a money issue.
So? Not every dev needs their key signed by another. GPG doesn't require it to function, and neither should we. What if the developer has a friend that has signed his key, and *that* person goes to a show and has his key signed by, let's say, me? Now that developer's key is trusted, too. This is the entire basis of a web of trust. Any dev that you cannot physically verify via government or school issued identification and their physical presence, should not be signed. Otherwise you are simply weakening the web of trust. In fact, for LWE key signing, we require 2 forms of picture identification. -- Chris Gianelloni Release Engineering - Operational/QA Manager Games - Developer Gentoo Linux
signature.asc
Description: This is a digitally signed message part
