Dakons blog

Edulix's post reminded me of something that we discussed in #kde-devel the other day. All this GPG signing stuff is based on the trust you have in other peoples keys.

The trust in those keys is much more obvious than e.g. in systems based systems: you can see who signed a key (and by that verified it), and you can even use websites showing you the possible trust paths between keys (e.g. pathfinder).

Now this signatures need to come from somewhere, i.e. people must sign their respective keys. This is something e.g. the Linux kernel developers are currently doing: only people with a trustworthy key are given write access to kernel.org. While Linus may not trust me (yet), from a global point of view I'm closer to everyone than he is: take my key 69B9FC4E and compare it to Linus's key 00411886. The avarage distance from anyone involved in the PGP web of trust for my key is 3.9, while his is 4.5. The reason for this is not only that my key is signed by more people, it's just that e.g. the fifth most signed key is one of those.

Ok, now everyone is eager to get his or her key signed, but what to do about this? Well, when do you meet next with other geeks? Like a KDE release party? Development sprints? Bring your key, bring your identity card, sign and get signed! More details on this is e.g. in the KGpg documentation (on docs.kde.org, on KDE userbase). Likely even in your language. If not, what about translating it?