From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30223 invoked from network); 30 Apr 2004 20:23:52 +0000 Received: from smtp.gentoo.org (128.193.0.39) by eagle.gentoo.oregonstate.edu with DES-CBC3-SHA encrypted SMTP; 30 Apr 2004 20:23:52 +0000 Received: from lists.gentoo.org ([128.193.0.34] helo=eagle.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.24) id 1BJeY4-0005py-Ks for arch-gentoo-dev@lists.gentoo.org; Fri, 30 Apr 2004 20:23:52 +0000 Received: (qmail 19508 invoked by uid 50004); 30 Apr 2004 20:23:52 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 7396 invoked from network); 30 Apr 2004 20:23:51 +0000 Date: Fri, 30 Apr 2004 22:23:38 +0200 From: Marius Mauch To: gentoo-dev@lists.gentoo.org Message-Id: <20040430222338.327af167@sven.genone.homeip.net> In-Reply-To: <1083351681.8842.145.camel@woot.uberdavis.com> References: <1083296558.8842.127.camel@woot.uberdavis.com> <1083351681.8842.145.camel@woot.uberdavis.com> Organization: Gentoo Linux X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i686-pc-linux-gnu) X-Face: H@&[wkk?l:Zx:8i_5bViK&{Vz{c{~r),^&:v/r#+X5dmfA6qCl)~'Ul{"&06Q1[05.%v&c>je5R{=xLnx^=~lN~rO0xuR~~NY)CX\"Nc4$9CBPwDl-.pYuVeGdir86L@\:j?7@%Ej2?Wi-Y0=1]T14ce0w79Bckk[*ti{;iA"{;I}&E~.msRBsBS)N!CS4Gd|_UR Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Fri__30_Apr_2004_22_23_38_+0200_F1_6V3=tM=sa/7p_" X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:7e6c91d1b14dbccceb2f2166522fa0f6 Subject: Re: [gentoo-dev] Key policy for GPG verification [was: 2004.2 Feature Requests] X-Archives-Salt: 5acc95ef-2338-4e64-b4d3-a7dbc04fac04 X-Archives-Hash: 0e936f1c1ee39a7eb5f9f53bffa9cd65 --Signature=_Fri__30_Apr_2004_22_23_38_+0200_F1_6V3=tM=sa/7p_ Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On 04/30/04 John Davis wrote: > Portage enhancements are a tough one. I know that genone has emerge > security almost there and GPG manifest signing is somewhere in the > middle (need verification here). The problem in making these release > guidelines is the fact that they are totally dependent on 2 people's > time and work. Releng does not have control over whether or not these > can be completed, so putting them on the feature list usually ends up > being an exercise in futility. If some people are willing to help out > carpaski and genone, then I will add it to the list, but if they are > left implementing and testing these two rather substantial features > themselves, I am not adding them to the list. Ok, guess I should repeat that the most important thing for GPG signing (actually the missing part is verification) that's still missing is a key policy: where to store keys, how to check if they are trustworthy and so on. If we can agree on a simple and effective solution there it shouldn't be too difficult to implement this feature (talking about code here, not the tree). The last time we had a way too long thread with way too many details and discussions about problem scenarios, please let's try to avoid that. And to get everyone on track I'll start with a very simple proposal (idea stolen from Spanky IIRC), I won't say that it's really effective though: - keys are stored in a keyring and are installed by an ebuild - a key is trustworthy if it is in that keyring - expiration is handled by removing the key from that keyring - each modification to the keyring involves a version bump on the ebuild That's about the easiest for implementation and doesn't require anything new for our infrastructure or key-signing-sessions. It does not say who will manage that keyring though as that is not important for the implementation. I'm pretty sure that the idea has a number of flaws, but we have to start somewhere. Marius -- Public Key at http://www.genone.de/info/gpg-key.pub In the beginning, there was nothing. And God said, 'Let there be Light.' And there was still nothing, but you could see a bit better. --Signature=_Fri__30_Apr_2004_22_23_38_+0200_F1_6V3=tM=sa/7p_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAkrXOWzrL1pM7SNcRAjSrAJ4mnnX4xBXvPMhj7fbzkEuRwqKxIACfR/Mx /CkN8J8LA9Gt7r41XI0vdOk= =p+QI -----END PGP SIGNATURE----- --Signature=_Fri__30_Apr_2004_22_23_38_+0200_F1_6V3=tM=sa/7p_--