[gentoo-dev] [PATCH] glep-0063: Add section about the Gentoo keyserver

[gentoo-dev] [PATCH] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
 glep-0063.rst | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/glep-0063.rst b/glep-0063.rst
index 82541bd..4191709 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
         Michał Górny <mgorny@gentoo.org>
 Type: Standards Track
 Status: Final
-Version: 2.1
+Version: 2.2
 Created: 2013-02-18
-Last-Modified: 2019-11-07
-Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
+Last-Modified: 2020-12-17
+Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17
 Content-Type: text/x-rst
 ---
 
@@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution.
 Changes
 =======
 
+v2.2
+  Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter.
+
 v2.1
   A requirement for an encryption key has been added, in order to extend
   the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev
@@ -135,8 +138,11 @@ their primary key).
 
 5. Encrypted backup of your secret keys.
 
+Gentoo Infrstructure
+====================
+
 Gentoo LDAP
-===========
+-----------
 
 All Gentoo developers must list the complete fingerprint for their primary
 keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
@@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently displays
 the "``gpgkey``" field, the last 16 hex digits of the fingerprint should
 be displayed instead.
 
+Gentoo Keyserver
+----------------
+
+Gentoo infrastructure uses a keyserver that is isolated from the SKS pool.
+This keyserver is restricted to accepting uploads from authorized Gentoo hosts.
+A script is provided on dev.gentoo.org to allow developers to upload their
+keys.
+
+``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload``
+
 Backwards Compatibility
 =======================
 
-- 
2.29.2

Re: [gentoo-dev] [PATCH] glep-0063: Add section about the Gentoo keyserver

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 804 bytes --]

On Thu, Dec 17, 2020 at 12:49:09PM -0500, Mike Gilbert wrote:
> +Gentoo Keyserver
> +----------------
> +
> +Gentoo infrastructure uses a keyserver that is isolated from the SKS pool.
> +This keyserver is restricted to accepting uploads from authorized Gentoo hosts.
> +A script is provided on dev.gentoo.org to allow developers to upload their
> +keys.
> +
> +``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload``
> +
Request: Please add the text "This upload is required in addition to
uploading the SKS pool", or something to that effect.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

[gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---

v2: Added "This upload is required in addition to uploading the SKS pool."

 glep-0063.rst | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/glep-0063.rst b/glep-0063.rst
index 82541bd..ec465db 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
         Michał Górny <mgorny@gentoo.org>
 Type: Standards Track
 Status: Final
-Version: 2.1
+Version: 2.2
 Created: 2013-02-18
-Last-Modified: 2019-11-07
-Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
+Last-Modified: 2020-12-17
+Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17
 Content-Type: text/x-rst
 ---
 
@@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution.
 Changes
 =======
 
+v2.2
+  Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter.
+
 v2.1
   A requirement for an encryption key has been added, in order to extend
   the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev
@@ -135,8 +138,11 @@ their primary key).
 
 5. Encrypted backup of your secret keys.
 
+Gentoo Infrstructure
+====================
+
 Gentoo LDAP
-===========
+-----------
 
 All Gentoo developers must list the complete fingerprint for their primary
 keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
@@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently displays
 the "``gpgkey``" field, the last 16 hex digits of the fingerprint should
 be displayed instead.
 
+Gentoo Keyserver
+----------------
+
+Gentoo infrastructure uses a keyserver that is isolated from the SKS pool.
+This keyserver is restricted to accepting uploads from authorized Gentoo hosts.
+A script is provided on dev.gentoo.org to allow developers to upload their
+keys. This upload is required in addition to uploading to the SKS pool.
+
+``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload``
+
 Backwards Compatibility
 =======================
 
-- 
2.30.0.rc0

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Davide Pesavento]

On Thu, Dec 17, 2020 at 1:12 PM Mike Gilbert <floppym@gentoo.org> wrote:
>
> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> ---
>
> v2: Added "This upload is required in addition to uploading the SKS pool."
>
>  glep-0063.rst | 24 ++++++++++++++++++++----
>  1 file changed, 20 insertions(+), 4 deletions(-)
>
> diff --git a/glep-0063.rst b/glep-0063.rst
> index 82541bd..ec465db 100644
> --- a/glep-0063.rst
> +++ b/glep-0063.rst
> @@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
>          Michał Górny <mgorny@gentoo.org>
>  Type: Standards Track
>  Status: Final
> -Version: 2.1
> +Version: 2.2
>  Created: 2013-02-18
> -Last-Modified: 2019-11-07
> -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
> +Last-Modified: 2020-12-17
> +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17
>  Content-Type: text/x-rst
>  ---
>
> @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution.
>  Changes
>  =======
>
> +v2.2
> +  Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter.
> +
>  v2.1
>    A requirement for an encryption key has been added, in order to extend
>    the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev
> @@ -135,8 +138,11 @@ their primary key).
>
>  5. Encrypted backup of your secret keys.
>
> +Gentoo Infrstructure

Typo.

> +====================
> +
>  Gentoo LDAP
> -===========
> +-----------
>
>  All Gentoo developers must list the complete fingerprint for their primary
>  keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
> @@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently displays
>  the "``gpgkey``" field, the last 16 hex digits of the fingerprint should
>  be displayed instead.
>
> +Gentoo Keyserver
> +----------------
> +
> +Gentoo infrastructure uses a keyserver that is isolated from the SKS pool.
> +This keyserver is restricted to accepting uploads from authorized Gentoo hosts.
> +A script is provided on dev.gentoo.org to allow developers to upload their
> +keys. This upload is required in addition to uploading to the SKS pool.
> +
> +``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload``
> +
>  Backwards Compatibility
>  =======================
>
> --
> 2.30.0.rc0
>
>

The rest LGTM.

Thanks,
Davide

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Michał Górny]

On Thu, 2020-12-17 at 13:12 -0500, Mike Gilbert wrote:
> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> ---
> 
> v2: Added "This upload is required in addition to uploading the SKS
> pool."
> 
>  glep-0063.rst | 24 ++++++++++++++++++++----
>  1 file changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/glep-0063.rst b/glep-0063.rst
> index 82541bd..ec465db 100644
> --- a/glep-0063.rst
> +++ b/glep-0063.rst
> @@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
>          Michał Górny <mgorny@gentoo.org>
>  Type: Standards Track
>  Status: Final
> -Version: 2.1
> +Version: 2.2
>  Created: 2013-02-18
> -Last-Modified: 2019-11-07
> -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
> +Last-Modified: 2020-12-17
> +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-
> 12-17
>  Content-Type: text/x-rst
>  ---
>  
> @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo
> Linux distribution.
>  Changes
>  =======
>  
> +v2.2
> +  Added "Gentoo Keyserver" section under "Gentoo Infrastructure"
> chapter.
> +
>  v2.1
>    A requirement for an encryption key has been added, in order to
> extend
>    the GLEP beyond commit signing and into use of OpenPGP for dev-to-
> dev
> @@ -135,8 +138,11 @@ their primary key).
>  
>  5. Encrypted backup of your secret keys.
>  
> +Gentoo Infrstructure

T

> +====================
> +
>  Gentoo LDAP
> -===========
> +-----------
>  
>  All Gentoo developers must list the complete fingerprint for their
> primary
>  keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40
> hex digits,
> @@ -147,6 +153,16 @@ of the fingerprint field. In any place that
> presently displays
>  the "``gpgkey``" field, the last 16 hex digits of the fingerprint
> should
>  be displayed instead.
>  
> +Gentoo Keyserver
> +----------------
> +
> +Gentoo infrastructure uses a keyserver that is isolated from the SKS
> pool.
> +This keyserver is restricted to accepting uploads from authorized
> Gentoo hosts.
> +A script is provided on dev.gentoo.org to allow developers to upload
> their
> +keys. This upload is required in addition to uploading to the SKS
> pool.
> +
> +``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-
> key-upload``
> +
>  Backwards Compatibility
>  =======================

Thank you for doing this.

That said, I'm wondering if we should keep SKS pool at all.  Did anyone
have any success interacting with it lately?  All my attempts of
fetching keys are resulting in server errors.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

On Thu, Dec 17, 2020 at 1:44 PM Davide Pesavento <pesa@gentoo.org> wrote:
>
> On Thu, Dec 17, 2020 at 1:12 PM Mike Gilbert <floppym@gentoo.org> wrote:
> >
> > Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> > ---
> >
> > v2: Added "This upload is required in addition to uploading the SKS pool."
> >
> >  glep-0063.rst | 24 ++++++++++++++++++++----
> >  1 file changed, 20 insertions(+), 4 deletions(-)
> >
> > diff --git a/glep-0063.rst b/glep-0063.rst
> > index 82541bd..ec465db 100644
> > --- a/glep-0063.rst
> > +++ b/glep-0063.rst
> > @@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
> >          Michał Górny <mgorny@gentoo.org>
> >  Type: Standards Track
> >  Status: Final
> > -Version: 2.1
> > +Version: 2.2
> >  Created: 2013-02-18
> > -Last-Modified: 2019-11-07
> > -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
> > +Last-Modified: 2020-12-17
> > +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17
> >  Content-Type: text/x-rst
> >  ---
> >
> > @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution.
> >  Changes
> >  =======
> >
> > +v2.2
> > +  Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter.
> > +
> >  v2.1
> >    A requirement for an encryption key has been added, in order to extend
> >    the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev
> > @@ -135,8 +138,11 @@ their primary key).
> >
> >  5. Encrypted backup of your secret keys.
> >
> > +Gentoo Infrstructure
>
> Typo.

Thanks, fixed locally.

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 683 bytes --]

On Thu, Dec 17, 2020 at 08:27:44PM +0100, Michał Górny wrote:
> Thank you for doing this.
> 
> That said, I'm wondering if we should keep SKS pool at all.  Did anyone
> have any success interacting with it lately?  All my attempts of
> fetching keys are resulting in server errors.
Yes, it worked for me 2 weeks ago when I fetched some keys from a local
SKS node to correspond with an upstream developer about a potential
security issue recently.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 2939 bytes --]

On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote:
>Signed-off-by: Mike Gilbert <floppym@gentoo.org>
>---
>
>v2: Added "This upload is required in addition to uploading the SKS pool."
>
> glep-0063.rst | 24 ++++++++++++++++++++----
> 1 file changed, 20 insertions(+), 4 deletions(-)
>
>diff --git a/glep-0063.rst b/glep-0063.rst
>index 82541bd..ec465db 100644
>--- a/glep-0063.rst
>+++ b/glep-0063.rst
>@@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
>         Michał Górny <mgorny@gentoo.org>
> Type: Standards Track
> Status: Final
>-Version: 2.1
>+Version: 2.2
> Created: 2013-02-18
>-Last-Modified: 2019-11-07
>-Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
>+Last-Modified: 2020-12-17
>+Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17
> Content-Type: text/x-rst
> ---
>
>@@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution.
> Changes
> =======
>
>+v2.2
>+  Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter.
>+
> v2.1
>   A requirement for an encryption key has been added, in order to extend
>   the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev
>@@ -135,8 +138,11 @@ their primary key).
>
> 5. Encrypted backup of your secret keys.
>
>+Gentoo Infrstructure
>+====================
>+
> Gentoo LDAP
>-===========
>+-----------
>
> All Gentoo developers must list the complete fingerprint for their primary
> keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
>@@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently displays
> the "``gpgkey``" field, the last 16 hex digits of the fingerprint should
> be displayed instead.
>
>+Gentoo Keyserver
>+----------------
>+
>+Gentoo infrastructure uses a keyserver that is isolated from the SKS pool.
>+This keyserver is restricted to accepting uploads from authorized Gentoo hosts.
>+A script is provided on dev.gentoo.org to allow developers to upload their
>+keys. This upload is required in addition to uploading to the SKS pool.
>+
>+``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload``
>+
> Backwards Compatibility
> =======================
>
>-- 
>2.30.0.rc0
>
>

Thanks for doing this! You beat me to the punch. I was going to try getting to
it tomorrow.

It may be good to also change step 7 under "Bare minimum requirements" to read:

     7. Upload your key to the Gentoo Keyserver before usage!

It'd give skimmers a trigger to look for the Gentoo keyserver info.

We might want to add "Upload to the SKS or some other public PGP pool" under
"Recommendations", but that's probably beyond the scope of the document now.

Lastly, should we have a link to the step-by-step guide? [1]

[1]: https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 358 bytes --]

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

On Thu, Dec 17, 2020 at 3:03 PM Aaron W. Swenson <titanofold@gentoo.org> wrote:
>
> On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote:
> >Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> >---
> >
> >v2: Added "This upload is required in addition to uploading the SKS pool."
> >
> > glep-0063.rst | 24 ++++++++++++++++++++----
> > 1 file changed, 20 insertions(+), 4 deletions(-)
> >
> >diff --git a/glep-0063.rst b/glep-0063.rst
> >index 82541bd..ec465db 100644
> >--- a/glep-0063.rst
> >+++ b/glep-0063.rst
> >@@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
> >         Michał Górny <mgorny@gentoo.org>
> > Type: Standards Track
> > Status: Final
> >-Version: 2.1
> >+Version: 2.2
> > Created: 2013-02-18
> >-Last-Modified: 2019-11-07
> >-Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
> >+Last-Modified: 2020-12-17
> >+Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17
> > Content-Type: text/x-rst
> > ---
> >
> >@@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution.
> > Changes
> > =======
> >
> >+v2.2
> >+  Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter.
> >+
> > v2.1
> >   A requirement for an encryption key has been added, in order to extend
> >   the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev
> >@@ -135,8 +138,11 @@ their primary key).
> >
> > 5. Encrypted backup of your secret keys.
> >
> >+Gentoo Infrstructure
> >+====================
> >+
> > Gentoo LDAP
> >-===========
> >+-----------
> >
> > All Gentoo developers must list the complete fingerprint for their primary
> > keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
> >@@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently displays
> > the "``gpgkey``" field, the last 16 hex digits of the fingerprint should
> > be displayed instead.
> >
> >+Gentoo Keyserver
> >+----------------
> >+
> >+Gentoo infrastructure uses a keyserver that is isolated from the SKS pool.
> >+This keyserver is restricted to accepting uploads from authorized Gentoo hosts.
> >+A script is provided on dev.gentoo.org to allow developers to upload their
> >+keys. This upload is required in addition to uploading to the SKS pool.
> >+
> >+``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload``
> >+
> > Backwards Compatibility
> > =======================
> >
> >--
> >2.30.0.rc0
> >
> >
>
> Thanks for doing this! You beat me to the punch. I was going to try getting to
> it tomorrow.
>
> It may be good to also change step 7 under "Bare minimum requirements" to read:
>
>      7. Upload your key to the Gentoo Keyserver before usage!
>
> It'd give skimmers a trigger to look for the Gentoo keyserver info.

Sure, happy to make that change.

> We might want to add "Upload to the SKS or some other public PGP pool" under
> "Recommendations", but that's probably beyond the scope of the document now.

I think it makes sense to move the SKS instruction to the
recommendations section.

> Lastly, should we have a link to the step-by-step guide? [1]
>
> [1]: https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys

I'm not sure I like the idea of referring the user to a wiki article
in the GLEP. What do others think of this?

If others agree, please propose some language/location to insert it,
or send a patch of your own (feel free to use my patch as a starting
point).

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Michał Górny]

On Thu, 2020-12-17 at 15:15 -0500, Mike Gilbert wrote:
> On Thu, Dec 17, 2020 at 3:03 PM Aaron W. Swenson
> <titanofold@gentoo.org> wrote:
> > 
> > On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote:
> > > Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> > > ---
> > > 
> > > v2: Added "This upload is required in addition to uploading the
> > > SKS pool."
> > > 
> > > glep-0063.rst | 24 ++++++++++++++++++++----
> > > 1 file changed, 20 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/glep-0063.rst b/glep-0063.rst
> > > index 82541bd..ec465db 100644
> > > --- a/glep-0063.rst
> > > +++ b/glep-0063.rst
> > > @@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
> > >         Michał Górny <mgorny@gentoo.org>
> > > Type: Standards Track
> > > Status: Final
> > > -Version: 2.1
> > > +Version: 2.2
> > > Created: 2013-02-18
> > > -Last-Modified: 2019-11-07
> > > -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
> > > +Last-Modified: 2020-12-17
> > > +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24,
> > > 2020-12-17
> > > Content-Type: text/x-rst
> > > ---
> > > 
> > > @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo
> > > Linux distribution.
> > > Changes
> > > =======
> > > 
> > > +v2.2
> > > +  Added "Gentoo Keyserver" section under "Gentoo Infrastructure"
> > > chapter.
> > > +
> > > v2.1
> > >   A requirement for an encryption key has been added, in order to
> > > extend
> > >   the GLEP beyond commit signing and into use of OpenPGP for dev-
> > > to-dev
> > > @@ -135,8 +138,11 @@ their primary key).
> > > 
> > > 5. Encrypted backup of your secret keys.
> > > 
> > > +Gentoo Infrstructure
> > > +====================
> > > +
> > > Gentoo LDAP
> > > -===========
> > > +-----------
> > > 
> > > All Gentoo developers must list the complete fingerprint for
> > > their primary
> > > keys in the "``gpgfingerprint``" LDAP field. It must be exactly
> > > 40 hex digits,
> > > @@ -147,6 +153,16 @@ of the fingerprint field. In any place that
> > > presently displays
> > > the "``gpgkey``" field, the last 16 hex digits of the fingerprint
> > > should
> > > be displayed instead.
> > > 
> > > +Gentoo Keyserver
> > > +----------------
> > > +
> > > +Gentoo infrastructure uses a keyserver that is isolated from the
> > > SKS pool.
> > > +This keyserver is restricted to accepting uploads from
> > > authorized Gentoo hosts.
> > > +A script is provided on dev.gentoo.org to allow developers to
> > > upload their
> > > +keys. This upload is required in addition to uploading to the
> > > SKS pool.
> > > +
> > > +``gpg --export KEYID | ssh dev.gentoo.org
> > > /usr/local/bin/openpgp-key-upload``
> > > +
> > > Backwards Compatibility
> > > =======================
> > > 
> > > --
> > > 2.30.0.rc0
> > > 
> > > 
> > 
> > Thanks for doing this! You beat me to the punch. I was going to try
> > getting to
> > it tomorrow.
> > 
> > It may be good to also change step 7 under "Bare minimum
> > requirements" to read:
> > 
> >      7. Upload your key to the Gentoo Keyserver before usage!
> > 
> > It'd give skimmers a trigger to look for the Gentoo keyserver info.
> 
> Sure, happy to make that change.
> 
> > We might want to add "Upload to the SKS or some other public PGP
> > pool" under
> > "Recommendations", but that's probably beyond the scope of the
> > document now.
> 
> I think it makes sense to move the SKS instruction to the
> recommendations section.
> 
> > Lastly, should we have a link to the step-by-step guide? [1]
> > 
> > [1]:
> > https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys
> 
> I'm not sure I like the idea of referring the user to a wiki article
> in the GLEP. What do others think of this?
> 
> If others agree, please propose some language/location to insert it,
> or send a patch of your own (feel free to use my patch as a starting
> point).
> 

I think we should actually have some dedicated info page purely for
Infra keyserver.  Possibly by replacing the index of
https://keys.gentoo.org.  Infra will look into it.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 209 bytes --]

Please also update the license of the GLEP to CC-BY-SA-4.0 [1].
See for example glep-0001.rst for the new footer.

[1] https://www.gentoo.org/glep/glep-0001.html#what-belongs-in-a-successful-glep
    (item 8)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

On Thu, Dec 17, 2020 at 4:31 PM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> Please also update the license of the GLEP to CC-BY-SA-4.0 [1].
> See for example glep-0001.rst for the new footer.
>
> [1] https://www.gentoo.org/glep/glep-0001.html#what-belongs-in-a-successful-glep
>     (item 8)

Should I also drop the explicit copyright notice?

> Copyright (c) 2013-2019 by Robin Hugh Johnson, Andreas K. Hüttel,
> Marissa Fischer, Michał Górny.

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 381 bytes --]

>>>>> On Thu, 17 Dec 2020, Mike Gilbert wrote:

> Should I also drop the explicit copyright notice?

>> Copyright (c) 2013-2019 by Robin Hugh Johnson, Andreas K. Hüttel,
>> Marissa Fischer, Michał Górny.

I think that a GLEP shouldn't have such a notice (after all, authors
are listed in the GLEP's header), but you cannot remove it without
permission of all authors.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

On Thu, Dec 17, 2020 at 5:03 PM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Thu, 17 Dec 2020, Mike Gilbert wrote:
>
> > Should I also drop the explicit copyright notice?
>
> >> Copyright (c) 2013-2019 by Robin Hugh Johnson, Andreas K. Hüttel,
> >> Marissa Fischer, Michał Górny.
>
> I think that a GLEP shouldn't have such a notice (after all, authors
> are listed in the GLEP's header), but you cannot remove it without
> permission of all authors.

Doesn't the same restriction apply to relicensing it?

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Thomas Deutschmann]

[-- Attachment #1.1: Type: text/plain, Size: 559 bytes --]

Hi,

sorry to be a show stopper here but I have to admit I don't like this 
addition.

If I remember correctly we were talking about this when we actively 
worked on this GLEP and decided to not put put anything like that into 
GLEP because this is a implementation detail which doesn't belong into 
'specs'.

We maybe can talk about adding just a reference link to the Wiki guide 
but I don't believe we should add this to GLEP.


-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

On Thu, Dec 17, 2020 at 6:58 PM Thomas Deutschmann <whissi@gentoo.org> wrote:
>
> Hi,
>
> sorry to be a show stopper here but I have to admit I don't like this
> addition.
>
> If I remember correctly we were talking about this when we actively
> worked on this GLEP and decided to not put put anything like that into
> GLEP because this is a implementation detail which doesn't belong into
> 'specs'.
>
> We maybe can talk about adding just a reference link to the Wiki guide
> but I don't believe we should add this to GLEP.

The GLEP already mentions the SKS keyserver pool, and the Gentoo LDAP
directory. Are these not also "implementation details"?

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Thomas Deutschmann]

[-- Attachment #1.1: Type: text/plain, Size: 908 bytes --]

On 2020-12-18 01:24, Mike Gilbert wrote:
> The GLEP already mentions the SKS keyserver pool, and the Gentoo LDAP
> directory. Are these not also "implementation details"?

Hrm,

I missed point 7. In this case how about replacing

> Upload your key to the SKS keyserver rotation before usage!

with

> Upload your key to the keyservers [11] before usage!
 >
 > [...]
 >
 > References
 >
 > [...]
 > [11] Gentoo Wiki: Upload GLEP 63 based OpenPGP keys to keyservers 
(https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys#Submit_your_new_key_to_the_keyserver)

That's all I would do to keep as many details out of the specs. But 
maybe I am the only one who is so strict about the spec... I am just 
saying and asking for comments.


-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

>>>>> On Thu, 17 Dec 2020, Mike Gilbert wrote:

> Doesn't the same restriction apply to relicensing it?

No, because the CC licenses have an explicit provision that allows it
when distributing a modified work (which they call an "Adaptation",
defined in section 1a).

For example, CC-BY-SA-3.0 says in section 4b:

   You may Distribute or Publicly Perform an Adaptation only under the
   terms of: (i) this License; (ii) a later version of this License with
   the same License Elements as this License; (iii) a Creative Commons
   jurisdiction license (either this or a later license version) that
   contains the same License Elements as this License (e.g.,
   Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible
   License. [...]

Item (ii) is what gives us the right to distribute under CC-BY-SA-4.0.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

[gentoo-dev] [PATCH v3] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---

v3: Fixed typo. 
    Added link to keys.gentoo.org.
    Moved SKS upload advice to Recommendations section.
    Added Gentoo keyserver advice to Bare minimum requirements section.

 glep-0063.rst | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/glep-0063.rst b/glep-0063.rst
index 82541bd..6997044 100644
--- a/glep-0063.rst
+++ b/glep-0063.rst
@@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
         Michał Górny <mgorny@gentoo.org>
 Type: Standards Track
 Status: Final
-Version: 2.1
+Version: 2.2
 Created: 2013-02-18
-Last-Modified: 2019-11-07
-Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
+Last-Modified: 2020-12-17
+Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17
 Content-Type: text/x-rst
 ---
 
@@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution.
 Changes
 =======
 
+v2.2
+  Added information about the Gentoo keyserver.
+
 v2.1
   A requirement for an encryption key has been added, in order to extend
   the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev
@@ -114,7 +117,7 @@ Keys that do not conform to them can not be used to commit.
 
 6. UID using your ``@gentoo.org`` e-mail included in the key.
 
-7. Upload your key to the SKS keyserver rotation before usage!
+7. Keys must be uploaded to the Gentoo keyserver.
 
 Recommendations
 ---------------
@@ -135,8 +138,13 @@ their primary key).
 
 5. Encrypted backup of your secret keys.
 
+6. Upload to SKS or another public keyserver pool.
+
+Gentoo Infrastructure
+=====================
+
 Gentoo LDAP
-===========
+-----------
 
 All Gentoo developers must list the complete fingerprint for their primary
 keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits,
@@ -147,6 +155,14 @@ of the fingerprint field. In any place that presently displays
 the "``gpgkey``" field, the last 16 hex digits of the fingerprint should
 be displayed instead.
 
+Gentoo Keyserver
+----------------
+
+Gentoo infrastructure uses a keyserver that is isolated from the SKS pool.
+This keyserver is restricted to accepting uploads from authorized Gentoo hosts.
+Instructions for uploading keys to this server may be found at
+https://keys.gentoo.org/.
+
 Backwards Compatibility
 =======================
 
@@ -212,6 +228,6 @@ Copyright
 Copyright (c) 2013-2019 by Robin Hugh Johnson, Andreas K. Hüttel,
 Marissa Fischer, Michał Górny.
 
-This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
-Unported License.  To view a copy of this license, visit
-https://creativecommons.org/licenses/by-sa/3.0/.
+This work is licensed under the Creative Commons Attribution-ShareAlike 4.0
+International License.  To view a copy of this license, visit
+https://creativecommons.org/licenses/by-sa/4.0/.
-- 
2.30.0.rc0

Re: [gentoo-dev] [PATCH v3] glep-0063: Add section about the Gentoo keyserver

[Michał Górny]

On Fri, 2020-12-18 at 10:56 -0500, Mike Gilbert wrote:
> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
> ---
> 
> v3: Fixed typo. 
>     Added link to keys.gentoo.org.
>     Moved SKS upload advice to Recommendations section.
>     Added Gentoo keyserver advice to Bare minimum requirements
> section.
> 
>  glep-0063.rst | 32 ++++++++++++++++++++++++--------
>  1 file changed, 24 insertions(+), 8 deletions(-)
> 
> diff --git a/glep-0063.rst b/glep-0063.rst
> index 82541bd..6997044 100644
> --- a/glep-0063.rst
> +++ b/glep-0063.rst
> @@ -7,10 +7,10 @@ Author: Robin H. Johnson <robbat2@gentoo.org>,
>          Michał Górny <mgorny@gentoo.org>
>  Type: Standards Track
>  Status: Final
> -Version: 2.1
> +Version: 2.2
>  Created: 2013-02-18
> -Last-Modified: 2019-11-07
> -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24
> +Last-Modified: 2020-12-17
> +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-
> 12-17
>  Content-Type: text/x-rst
>  ---
>  
> @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo
> Linux distribution.
>  Changes
>  =======
>  
> +v2.2
> +  Added information about the Gentoo keyserver.
> +
>  v2.1
>    A requirement for an encryption key has been added, in order to
> extend
>    the GLEP beyond commit signing and into use of OpenPGP for dev-to-
> dev
> @@ -114,7 +117,7 @@ Keys that do not conform to them can not be used
> to commit.
>  
>  6. UID using your ``@gentoo.org`` e-mail included in the key.
>  
> -7. Upload your key to the SKS keyserver rotation before usage!
> +7. Keys must be uploaded to the Gentoo keyserver.
>  
>  Recommendations
>  ---------------
> @@ -135,8 +138,13 @@ their primary key).
>  
>  5. Encrypted backup of your secret keys.
>  
> +6. Upload to SKS or another public keyserver pool.
> +
> +Gentoo Infrastructure
> +=====================
> +
>  Gentoo LDAP
> -===========
> +-----------
>  
>  All Gentoo developers must list the complete fingerprint for their
> primary
>  keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40
> hex digits,
> @@ -147,6 +155,14 @@ of the fingerprint field. In any place that
> presently displays
>  the "``gpgkey``" field, the last 16 hex digits of the fingerprint
> should
>  be displayed instead.
>  
> +Gentoo Keyserver
> +----------------
> +
> +Gentoo infrastructure uses a keyserver that is isolated from the SKS
> pool.
> +This keyserver is restricted to accepting uploads from authorized
> Gentoo hosts.
> +Instructions for uploading keys to this server may be found at
> +https://keys.gentoo.org/.
> +
>  Backwards Compatibility
>  =======================
>  
> @@ -212,6 +228,6 @@ Copyright
>  Copyright (c) 2013-2019 by Robin Hugh Johnson, Andreas K. Hüttel,
>  Marissa Fischer, Michał Górny.
>  
> -This work is licensed under the Creative Commons Attribution-
> ShareAlike 3.0
> -Unported License.  To view a copy of this license, visit
> -https://creativecommons.org/licenses/by-sa/3.0/.
> +This work is licensed under the Creative Commons Attribution-
> ShareAlike 4.0
> +International License.  To view a copy of this license, visit
> +https://creativecommons.org/licenses/by-sa/4.0/.

LGTM.  Thanks!

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver

[Mike Gilbert]

On Fri, Dec 18, 2020 at 2:45 AM Ulrich Mueller <ulm@gentoo.org> wrote:
>
> >>>>> On Thu, 17 Dec 2020, Mike Gilbert wrote:
>
> > Doesn't the same restriction apply to relicensing it?
>
> No, because the CC licenses have an explicit provision that allows it
> when distributing a modified work (which they call an "Adaptation",
> defined in section 1a).
>
> For example, CC-BY-SA-3.0 says in section 4b:
>
>    You may Distribute or Publicly Perform an Adaptation only under the
>    terms of: (i) this License; (ii) a later version of this License with
>    the same License Elements as this License; (iii) a Creative Commons
>    jurisdiction license (either this or a later license version) that
>    contains the same License Elements as this License (e.g.,
>    Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible
>    License. [...]
>
> Item (ii) is what gives us the right to distribute under CC-BY-SA-4.0.

Thank you for taking the time to explain this.