Open Stack

On 09/20/2013 01:50 PM, Clint Byrum wrote:
> Excerpts from Thomas Goirand's message of 2013-09-19 23:33:47 -0700:
>>
>> Hi,
>>
>> Has anyone thought about having a PGP key signing party during the
>> summit? Guys from the Linux kernel thought it was useless, but after the
>> hack of kernel.org, they started to understand it was useful, and now
>> they do have a "web of trust". As a package maintainer, I would very
>> much like to have a signing event during the next HK summit, and collect
>> signatures so that I can check the pgp signed tags, which to my very
>> satisfaction, starts to appear for every package release (not sure if
>> this comes from the fact I've been annoying everyone about it in this
>> list, though that's a very good thing).
> 
> I have been to two such events and they are extremely beneficial for growing
> the PGP web of trust.
> 
> http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#overview
> 
> Given the size of the summit, I suggest the hash based method.

I would Love to specifically request that everyone in OpenStack who is
going to be releasing software (so especially project PTLs, ttx and
infra) participate. I'd love to strengthen the release tools to not only
look for signed tags, but to look for tags signed by a key that is in
the web of trust (the technology exists for this - why not use it, right?)