mercedes508: >> Would it sound crazy, too painful, or what, if we required l10n pull
>> requests to be OpenPGP-signed?
>
> It sounds doable to me. would be no problem for me either.
Just one thing: how would you ensure that you can trust a key's signature?
Or to rephrase it differently: the people here likely won't tell their
names/state it in the key UID, and likely won't tell you which pseudonym
they use when they meet you in person. That also means that the UIDs
likely are the email adresses used for the mailing lists and not signed
by other people (no WOT).
So, is it correct to say that in the end the trust in a key is built
through "reputation"?
Then, "reputation" would be something like
- steadiness of key usage: pull requests; maybe signing all emails by
default; maybe also signing commits,...
- quality of delivered work: "new" persons can't do reviews (or the
review has to be treated with more care) as they have not yet the
"reputation" to be trustworthy
Nonetheless, I think it is not possible to really automate the
pull/merge process just because of having a signed pull request - I
would miss a person (the one who does the merge) that still follows the
conversation during review process.
