Expanding the Web of trust in the Calcite community / PGP Key signing

[Stamatis Zampetakis <za...@gmail.com>]

Hi all,

As it was brought up in the past few releases our web of trust [1] is not
very strong.

We're many members in the PMC, and many more in the broader community, but
very few have signed each other's PGP keys.

In most of the cases when I verify a release I will get a fair warning that
the key used to sign the release is not trusted. This may be OK for
non-regular contributors testing a release candidate but it shouldn't be
the norm for those with binding votes.

I think we should take action and hold a key signing party where at least
the active members in the PMC sign each other's keys. If others find this
subject important we can start directly discussing a date convenient for
the majority.

Going one step further, I would propose to make key signing, part of the
procedure of inviting someone to join the project as committer/PMC. The one
who sends the invitation can also sign the key of the new member, directly
expanding the web of trust for the whole PMC.

Let me know your thoughts.

Best,
Stamatis

[1] https://en.wikipedia.org/wiki/Web_of_trust

Re: Expanding the Web of trust in the Calcite community / PGP Key signing

[Ruben Q L <ru...@gmail.com>]

Hello,

thanks Stamatis for starting this discussion. I agree with your proposals.

I'm in UTC+1 right now (UTC in winter).

Best,
Ruben


On Mon, Mar 28, 2022 at 9:22 AM Stamatis Zampetakis <za...@gmail.com>
wrote:

> Hi Francis,
>
> Yes you are right. To remove the warning the release signing key needs to
> be either signed directly by myself or transitively through the notion of
> trust [1].
> I am hoping that signing each other's keys will also make the warning
> disappear along with the other benefits.
>
> I am in UTC+2 but I am willing to join in non-conventional hours if we
> cannot find a reasonable slot that works.
> We can also set up two or more slots with some people joining multiple if
> possible.
>
> Best,
> Stamatis
>
> [1] https://www.gnupg.org/gph/en/manual/x334.html
>
> On Mon, Mar 28, 2022 at 12:43 AM Francis Chuang <fr...@apache.org>
> wrote:
>
> > Hi Stamatis,
> >
> > Thanks for bringing this up. I think this is a good idea. I am in UTC+11
> > and will be in UTC+10 starting this Sunday.
> >
> > Regarding the warning from GPG, I think GPG does not trust the keys you
> > add to its database by default. In order to get GPG to trust it, I think
> > we need to sign all the keys in the database ourselves, so that it
> > becomes trusted.
> >
> > In any case, I think expanding the web of trust is still quite important
> > and having more people sign each other's keys is a good thing. The main
> > challenge is probably people being in vastly different timezones /
> > geographies, but hopefully we can sort something out.
> >
> > Francis
> >
> > On 28/03/2022 8:33 am, Stamatis Zampetakis wrote:
> > > Hi all,
> > >
> > > As it was brought up in the past few releases our web of trust [1] is
> not
> > > very strong.
> > >
> > > We're many members in the PMC, and many more in the broader community,
> > but
> > > very few have signed each other's PGP keys.
> > >
> > > In most of the cases when I verify a release I will get a fair warning
> > that
> > > the key used to sign the release is not trusted. This may be OK for
> > > non-regular contributors testing a release candidate but it shouldn't
> be
> > > the norm for those with binding votes.
> > >
> > > I think we should take action and hold a key signing party where at
> least
> > > the active members in the PMC sign each other's keys. If others find
> this
> > > subject important we can start directly discussing a date convenient
> for
> > > the majority.
> > >
> > > Going one step further, I would propose to make key signing, part of
> the
> > > procedure of inviting someone to join the project as committer/PMC. The
> > one
> > > who sends the invitation can also sign the key of the new member,
> > directly
> > > expanding the web of trust for the whole PMC.
> > >
> > > Let me know your thoughts.
> > >
> > > Best,
> > > Stamatis
> > >
> > > [1] https://en.wikipedia.org/wiki/Web_of_trust
> > >
> >
>

Re: Expanding the Web of trust in the Calcite community / PGP Key signing

[Stamatis Zampetakis <za...@gmail.com>]

Hi Francis,

Yes you are right. To remove the warning the release signing key needs to
be either signed directly by myself or transitively through the notion of
trust [1].
I am hoping that signing each other's keys will also make the warning
disappear along with the other benefits.

I am in UTC+2 but I am willing to join in non-conventional hours if we
cannot find a reasonable slot that works.
We can also set up two or more slots with some people joining multiple if
possible.

Best,
Stamatis

[1] https://www.gnupg.org/gph/en/manual/x334.html

On Mon, Mar 28, 2022 at 12:43 AM Francis Chuang <fr...@apache.org>
wrote:

> Hi Stamatis,
>
> Thanks for bringing this up. I think this is a good idea. I am in UTC+11
> and will be in UTC+10 starting this Sunday.
>
> Regarding the warning from GPG, I think GPG does not trust the keys you
> add to its database by default. In order to get GPG to trust it, I think
> we need to sign all the keys in the database ourselves, so that it
> becomes trusted.
>
> In any case, I think expanding the web of trust is still quite important
> and having more people sign each other's keys is a good thing. The main
> challenge is probably people being in vastly different timezones /
> geographies, but hopefully we can sort something out.
>
> Francis
>
> On 28/03/2022 8:33 am, Stamatis Zampetakis wrote:
> > Hi all,
> >
> > As it was brought up in the past few releases our web of trust [1] is not
> > very strong.
> >
> > We're many members in the PMC, and many more in the broader community,
> but
> > very few have signed each other's PGP keys.
> >
> > In most of the cases when I verify a release I will get a fair warning
> that
> > the key used to sign the release is not trusted. This may be OK for
> > non-regular contributors testing a release candidate but it shouldn't be
> > the norm for those with binding votes.
> >
> > I think we should take action and hold a key signing party where at least
> > the active members in the PMC sign each other's keys. If others find this
> > subject important we can start directly discussing a date convenient for
> > the majority.
> >
> > Going one step further, I would propose to make key signing, part of the
> > procedure of inviting someone to join the project as committer/PMC. The
> one
> > who sends the invitation can also sign the key of the new member,
> directly
> > expanding the web of trust for the whole PMC.
> >
> > Let me know your thoughts.
> >
> > Best,
> > Stamatis
> >
> > [1] https://en.wikipedia.org/wiki/Web_of_trust
> >
>

Re: Expanding the Web of trust in the Calcite community / PGP Key signing

[Francis Chuang <fr...@apache.org>]

Hi Stamatis,

Thanks for bringing this up. I think this is a good idea. I am in UTC+11 
and will be in UTC+10 starting this Sunday.

Regarding the warning from GPG, I think GPG does not trust the keys you 
add to its database by default. In order to get GPG to trust it, I think 
we need to sign all the keys in the database ourselves, so that it 
becomes trusted.

In any case, I think expanding the web of trust is still quite important 
and having more people sign each other's keys is a good thing. The main 
challenge is probably people being in vastly different timezones / 
geographies, but hopefully we can sort something out.

Francis

On 28/03/2022 8:33 am, Stamatis Zampetakis wrote:
> Hi all,
> 
> As it was brought up in the past few releases our web of trust [1] is not
> very strong.
> 
> We're many members in the PMC, and many more in the broader community, but
> very few have signed each other's PGP keys.
> 
> In most of the cases when I verify a release I will get a fair warning that
> the key used to sign the release is not trusted. This may be OK for
> non-regular contributors testing a release candidate but it shouldn't be
> the norm for those with binding votes.
> 
> I think we should take action and hold a key signing party where at least
> the active members in the PMC sign each other's keys. If others find this
> subject important we can start directly discussing a date convenient for
> the majority.
> 
> Going one step further, I would propose to make key signing, part of the
> procedure of inviting someone to join the project as committer/PMC. The one
> who sends the invitation can also sign the key of the new member, directly
> expanding the web of trust for the whole PMC.
> 
> Let me know your thoughts.
> 
> Best,
> Stamatis
> 
> [1] https://en.wikipedia.org/wiki/Web_of_trust
>