Josh Boyer wrote: > Ok, so I'm trying to figure out what good uploading a GPG key into the > accounts system is. Here's how I see it: > > 1. The only thing it's used for is potentially signing the CLA. I say > potentially because both > > http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem/RequestCLA > > and > > http://www.fedoraproject.org/wiki/Infrastructure/AccountSystem > > say "You can sign the CLA". If it's required, we should change it to > "must sign the CLA". > They read "can" and not "must" due to the option of using a written signature and postal courier. CLAs may also not be necessary in all cases. > 2. Even if 1) is done, we don't use GPG keys for anything else. We > don't sign packages with them. > > Using them to sign emails is fine, but it's not required. And there is > no listing of contributors and their GPG keys so finding a users GPG key > has to be done via searches on key servers anyway. > > So... is it really needed? Or maybe a better question is can we make > it more useful somehow? > > josh > > Part of it is availability. It is likely that more use of GPG keys will be made in the future. It is also important that when the time comes that your GPG key is needed, we can verify that it is the same key as you have provided to the account system. It is also possible to verify the GPG key ID for any particular user in the Account System, which the paranoid or thorough are free to do. Anyone can check what GPG key ID another user has registered in the Account System, but you are correct in that there is no single list. You must specify the single account you wish to check. Really, all contributions that are provided through an insecure means *should* be GPG-signed, though this is not enforced. -- Patrick "The N-Man" Barnes nman64@xxxxxxxxx http://www.n-man.com/ -- Have I been helpful? Rate my assistance! http://rate.affero.net/nman64/
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
