[OSDC Israel] PGP Keysigning BOF

[Amit Aronovitch]

Steph Fox wrote:

>> You forgot to mention one aspect which is specificly useful for Open
>> Source Developers:
>>
>> If you have your key signed, you can post/upload signed files and
>> patches, that people can be sure are from YOU.
>> If you participate in a public, decentralized project, this is a crucial
>> element - otherwise your codebase would be
>> wide open for crackers and assorted troublemakers to insert their
>> malicious stuff.
>> Many projects have already incorporated gpg signing/verifying into
>> their infratructure (e.g. Debian ...)
>
>
> What, no CVS/SVN?
>
> - Steph

Seems that we have some misunderstanding (that's the nature of mailing
lists...)

Rough clarification of what I mean by "decentralized" above - consider
the following question:

Does your project accept major code contribution from people you have
never seen?

* If you answer "no", or "yes, but I read every line and reedit to suite
my taste" (note: this is unrealistic for large scale projects - that's
why I chose Debian as example) - then it's what I call a *centralized*
project.

* If you answer "yes", then you must have some way to verify ID's. PGP
or any other way, at the end it comes down to establishing a web of
trust. The way you manage your repository has nothing to do with it.

Bottom line: revision control software are almost completely irrelevant
to the issue I mentioned (the "almost" is basicly a matter of
convenience, but I won't pursue that here - that's what the BOF's are
for :-) ).

 -- Amit