[csw-maintainers] [policy] GPG Signing Key handling

Peter FELECAN pfelecan at opencsw.org
Thu Feb 10 11:25:19 CET 2011 

Philip Brown <phil at bolthole.com> writes:

> On Wed, Feb 9, 2011 at 12:38 AM, Peter FELECAN <pfelecan at opencsw.org> wrote:
>>...
>> The GPG signing key is the asset of the OpenCSW foundation.
>> The representatives of the foundation are the 3 board main members.
>> Consequently it should be held by them.
>>
>> I think that today we have the following situation: the previous
>> president of the foundation and a non member of the foundation hold the
>> GPG signing key.
>
> I dont see how the current holder being "the previous president" has
> any relevance. Are you somehow suggesting that if I were not the prior
> president, that you would have no objections?[...]

Not at all.

>> Are you saying that This is unacceptable. I cannot resist the caricature of
>> this: as if George W. Bush and Kim Jong Il holds exclusively the nuclear
>> codes of the United States.
>
> and this is just gratuitously insulting.

Don't you understand metaphors? analogies? The purpose of this wasn't to
insult but to show a similarity.

> In contrast, I hold the gpg signing key not because I was board
> president, but because I am the current release manager. Since I
> continue to be, for now, the current release manager, it makes sense
> for me to hold the keys, because I have a functional need to do so.
> If at some time in the future, there is a new release manager, I will
> turn over the key to them without complaint.

I think that the release management role should dispose, non exclusively,
of the GPG sign key. The keywords here are "non exclusively".

> I think the majority of members consider James to be a trustworthy
> person, as I hope they also do myself.
> While James has not requested to become "a member of the
> organization", he is still a maintainer in good standing.
> Not being a member, merely means he does not get a "vote" in things. I
> do not see how that makes him any less trustworthy, however.

It's not a question of trust but of the paradox of your opinion: a non
member can have the key but the members of the board doesn't.

> As such, I hope that the current level of redundancy for our signing
> keys will be deemed as adequate for our members.

There is at least one member who deems that inadequate: me. The vote will
decide if I'm alone in which case I will comply. On the contrary, will
you?
-- 
Peter

More information about the maintainers mailing list