intrigeri: > Hi,
>
> flapflap wrote (14 Jun 2014 18:52:26 GMT) :
>> Just one thing: how would you ensure that you can trust a key's signature?
>
> In practice, based on the current state of things, I've been able to
> carefully verify keys for at least one member of each Git-using
> translation team, so that should not be a problem.
>
> In the future, when new teams want to join us, that's actually not
> a substantially different problem than "how to trust a new translation
> team?" -- once we decide we trust that $EMAIL_ADDRESS won't put
> anything fishy on the Tails website, and we will take pull requests
> from them (which is the current situation), we can as well root
> cryptographic trust in the public keys $EMAIL sends us at this time.
> It's just the same thing as we're doing nowadays, but using an OpenPGP
> key instead of $EMAIL_ADDRESS as the authenticator, using TOFU in the
> worst case to match keys to email addresses.
>
> Cheers,
> Really, the only problem is for new contributors that are not familiar
with GPG. Our current setup is already asking a lot from potential
translators, I think. So... I'd like to do this progressively, first
doing it for french/german teams, and with other teams when it's
possible, but not as necessary to start translating. Does it sound possible?
