[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/1] Update TXT maintainter



On Fri, Mar 15, 2019 at 10:51 AM Wei Liu <wei.liu2@xxxxxxxxxx> wrote:
>
> On Fri, Mar 15, 2019 at 10:12:16AM -0600, Tamas K Lengyel wrote:
> > On Fri, Mar 15, 2019 at 4:58 AM Wei Liu <wei.liu2@xxxxxxxxxx> wrote:
> > >
> > > On Thu, Mar 14, 2019 at 06:25:42PM +0000, Julien Grall wrote:
> > > > Hi Wei,
> > > >
> > > > On 3/12/19 11:54 AM, Wei Liu wrote:
> > > > > Thanks. The format looks correct now.
> > > > >
> > > > > Shane, can you ack this patch?
> > > >
> > > > Do we also need Gang Wei acked-by to confirm he wants to be removed?
> > >
> > > In theory yes, but if Gang had left Intel there he couldn't possibly
> > > reply from his intel address. And there will be no way to verify if a
> > > Gang Wei email from any other address is the Gang Wei we're looking for.
> >
> > Perhaps for this reason it would be nice if each maintainer recorded a
> > pgp key in either the maintainers file or some other file so they can
> > prove their identity if needed. Should also have a policy that ensures
> > that key is not shared with the parent organization or we may have
> > "maintainers" who just happen to live forever ;)
>
> Perhaps. :-)
>
> There are a few drawbacks:
>
> 1. PGP is difficult to use.
> 2. Key management is tedious and tiresome.
> 3. A key still needs to be associated with an email address (ID).
> 4. The policy requirement is difficult to enforce and check.
>
> I think #3 is a deal breaker. Not everyone likes to mingle personal and
> professional life, so the key may be associate with their work email
> address.  A philosophical question is if you don't own that email
> address anymore, can you still claim you own that key?

Yes, owning the key is proved by the fact that you have the private
portion and can sign a message saying "I no longer have that other
email that I used before". What address that signed message comes from
doesn't matter.

>
> Ultimately we want to solve a trust issue. Although I like the concept
> of PGP and have been a user for a long time,  we probably don't want to
> use PGP just for the sake of using it, when there are other easier way
> to get things done. :-)

If there are better alternatives then sure, pgp is a bit of a pita I
agree. But there is certainly a trust aspect here that we don't really
have a good way of handling other then crossing fingers that people
are actually who they claim to be. For off-shoot patches being
contributed this doesn't matter too much but for the maintainers it's
a bit different. There certainly are maintainers who I never met and
can't even find any public information about them online (conference
talks or anything). So even if at a summit someone would appear and
claim, for example, to be Gang Wei, how would I know? :) If not pgp
then maybe at least a photo of each maintainer would go a long way to
make sure noone got replaced by the borg ;)

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.