[openstack-dev] [all] Key signing at the summit?

Jeremy Stanley fungi at yuggoth.org
Tue Nov 11 14:02:20 UTC 2014


On 2014-11-11 08:26:30 +0800 (+0800), Thomas Goirand wrote:
[...]
> We then better have just an OpenStack keyring, just like there's a
> Debian developer keyring, on which we delegate the trust to some
> kind of organization (but this needs to be used for something...).
[...]

I've been putting together a plan to verify tag signatures against a
keyring within our release automation (primarily for the benefit of
proving a chain of custody when release artifacts are re-signed by
our infrastructure). While this doesn't necessarily require a strong
correlation in our web of trust, any human processes which grow up
around the automation have a potential to benefit from one.

> We use that time so we can gather in small groups of people that
> we don't know, and take the time to present ourselves to others,
> and tell what we do, who we are, etc.
[...]

This not only makes for a stronger web of trust, but also a stronger
community in general. However, it's not strictly necessary to have a
time organized across the entire project to engage one another in
intimate groups.
-- 
Jeremy Stanley



More information about the OpenStack-dev mailing list