Re: [gentoo-dev] GPG key refresh

[Mike Gilbert <floppym@gentoo.org>]

On Wed, Dec 16, 2020 at 3:01 AM Michał Górny <mgorny@gentoo.org> wrote:
>
> On Tue, 2020-12-15 at 23:37 -0500, Aaron W. Swenson wrote:
> > On 2020-12-15 11:16, Michael Orlitzky wrote:
> > > On 12/15/20 11:11 AM, Thomas Deutschmann wrote:
> > > >
> > > > What do you mean exactly?
> > > >
> > > > For Gentoo tooling, only Gentoo keyservers are important and
> > > > Gentoo no longer synchronizes with any other pool.
> > > >
> > > "The Gentoo developer tooling explicitly checks the Gentoo
> > > keyserver
> > > pool with a much higher frequency" strongly implies that we check
> > > the
> > > non-Gentoo pools with a non-zero frequency.
> > >
> > >
> >
> > I'm with Michael on this. I've recently experienced this issue myself
> > as the
> > instruction to upload the key to the Gentoo keyserver is separate
> > from the
> > GLEP63[1] document. It doesn't matter that the step is documented if
> > the Holy
> > Tome GLEP63 doesn't mention it. What hint would I have to look for a
> > supplemental document to provide that specific step?
> >
> > According to GLEP 63, uploading to the SKS keyserver is a
> > requirement.
> > However, it fails to specify which SKS keyserver. In fact, neither
> > "SKS" nor
> > "keyserver" are defined in GLEP63. Ergo, the natural interpretation
> > is *anything*
> > that's called an SKS keyserver will satisfy the requirement. As long
> > as the
> > developer can submit the key, the requirement is met.
> >
> > Additionally, the supplemental document[2] doesn't say developers
> > must upload
> > via an internal host, but that devs should upload to both SKS and the
> > Gentoo
> > keyserver. Yes, it says the Gentoo keyserver is currently restricted
> > to syncing
> > with "authorized Gentoo hosts", but that's a nonsense phrase and
> > unhelpful. It
> > assumes I know what the authorized Gentoo hosts are. It doesn't
> > clearly state
> > what they are. It kind of hints that it will pull from SKS
> > eventually, but it
> > could take a long time.
> >
> > I understand we temporarily stopped syncing with the public keyserver
> > out of an
> > overabundance of caution. However, that shouldn't have been done
> > without
> > updating every official Gentoo resource regarding how devs should
> > handle their
> > keys, which as far as I know is only two documents[1,2]. A whopping 2
> > documents.
> >
> > This new (I know it's been around for a year but that doesn't make it
> > any less
> > new), stricter requirement, should be **explicitly** stated in
> > GLEP63, properly
> > referencing the justification[3], and linking to the infra
> > supplemental
> > document. The infra supplemental document needs to then use the
> > phrase "must" in
> > place of "should" when informing readers to upload to two different
> > locations.
>
> ...and what have you done to resolve the problem, except for making
> oververbose complaints and demands in middle of some random thread?

If you think he's being unhelpful, maybe suggest ways of contributing
that would be more helpful. There's no need for this snippy reply.