[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 1/1] Update TXT maintainter
On Fri, Mar 15, 2019 at 10:51 AM Wei Liu <wei.liu2@xxxxxxxxxx> wrote: > > On Fri, Mar 15, 2019 at 10:12:16AM -0600, Tamas K Lengyel wrote: > > On Fri, Mar 15, 2019 at 4:58 AM Wei Liu <wei.liu2@xxxxxxxxxx> wrote: > > > > > > On Thu, Mar 14, 2019 at 06:25:42PM +0000, Julien Grall wrote: > > > > Hi Wei, > > > > > > > > On 3/12/19 11:54 AM, Wei Liu wrote: > > > > > Thanks. The format looks correct now. > > > > > > > > > > Shane, can you ack this patch? > > > > > > > > Do we also need Gang Wei acked-by to confirm he wants to be removed? > > > > > > In theory yes, but if Gang had left Intel there he couldn't possibly > > > reply from his intel address. And there will be no way to verify if a > > > Gang Wei email from any other address is the Gang Wei we're looking for. > > > > Perhaps for this reason it would be nice if each maintainer recorded a > > pgp key in either the maintainers file or some other file so they can > > prove their identity if needed. Should also have a policy that ensures > > that key is not shared with the parent organization or we may have > > "maintainers" who just happen to live forever ;) > > Perhaps. :-) > > There are a few drawbacks: > > 1. PGP is difficult to use. > 2. Key management is tedious and tiresome. > 3. A key still needs to be associated with an email address (ID). > 4. The policy requirement is difficult to enforce and check. > > I think #3 is a deal breaker. Not everyone likes to mingle personal and > professional life, so the key may be associate with their work email > address. A philosophical question is if you don't own that email > address anymore, can you still claim you own that key? Yes, owning the key is proved by the fact that you have the private portion and can sign a message saying "I no longer have that other email that I used before". What address that signed message comes from doesn't matter. > > Ultimately we want to solve a trust issue. Although I like the concept > of PGP and have been a user for a long time, we probably don't want to > use PGP just for the sake of using it, when there are other easier way > to get things done. :-) If there are better alternatives then sure, pgp is a bit of a pita I agree. But there is certainly a trust aspect here that we don't really have a good way of handling other then crossing fingers that people are actually who they claim to be. For off-shoot patches being contributed this doesn't matter too much but for the maintainers it's a bit different. There certainly are maintainers who I never met and can't even find any public information about them online (conference talks or anything). So even if at a summit someone would appear and claim, for example, to be Gang Wei, how would I know? :) If not pgp then maybe at least a photo of each maintainer would go a long way to make sure noone got replaced by the borg ;) Tamas _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |