Ricky Zhou wrote: >> The FAS just needs to be able to access the key someone has signed >> the CLA with, right? Perhaps instead of requiring any particular >> keyserver at all, the sign up could just let the user paste their >> key? Then, with a little bit of pygpgme (or whatever glue you >> like), add that key to an FAS keyring and verify the CLA signature. >> I could be missing something obvious about why the process requires >> using a keyserver, but it seems to me like that requirement could >> be removed without much trouble. > > For what it's worth, this would make it way easier to implement from > the pygpgme side. Right now, I don't see any nice mechanism for > downloading keys from the keyserver (although I might just be > missing it), and the current CLA code uses kind of a hack with > keyserver-options auto-key-retrieve, which only works when we're > verifying a signature. > > I'm not sure if there's some legal purpose to requiring the key to > be on a public keyserver, though (and I think it ends up being more > convenient/useful if we end up pulling from an online keyserver. Ahh, I hadn't thought about the potential of a legal reason to use a public keyserver. Having a FAS keyring with all the contributors keys could be handy too, for those of us that use gpg regularly. Debian has a package of their gpg keyring even: http://packages.debian.org/debian-keyring :) But that's much outside of the CLA's need for gpg of course. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reason obeys itself; and ignorance does whatever is dictated to it. -- Thomas Paine
Attachment:
pgpJ1Iirgg93I.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
