From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3C5441382C5 for ; Thu, 17 Dec 2020 20:21:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8B459E0942; Thu, 17 Dec 2020 20:21:51 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 52DEFE0930 for ; Thu, 17 Dec 2020 20:21:51 +0000 (UTC) Message-ID: Subject: Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Thu, 17 Dec 2020 21:21:45 +0100 In-Reply-To: References: <20201217174909.1711154-1-floppym@gentoo.org> <20201217181216.1825482-1-floppym@gentoo.org> Organization: Gentoo Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 0f1d9389-798b-44b3-a6eb-610153fe5553 X-Archives-Hash: e9cb1b985c12f4db10458404417cbb09 On Thu, 2020-12-17 at 15:15 -0500, Mike Gilbert wrote: > On Thu, Dec 17, 2020 at 3:03 PM Aaron W. Swenson > wrote: > > > > On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote: > > > Signed-off-by: Mike Gilbert > > > --- > > > > > > v2: Added "This upload is required in addition to uploading the > > > SKS pool." > > > > > > glep-0063.rst | 24 ++++++++++++++++++++---- > > > 1 file changed, 20 insertions(+), 4 deletions(-) > > > > > > diff --git a/glep-0063.rst b/glep-0063.rst > > > index 82541bd..ec465db 100644 > > > --- a/glep-0063.rst > > > +++ b/glep-0063.rst > > > @@ -7,10 +7,10 @@ Author: Robin H. Johnson , > > >         Michał Górny > > > Type: Standards Track > > > Status: Final > > > -Version: 2.1 > > > +Version: 2.2 > > > Created: 2013-02-18 > > > -Last-Modified: 2019-11-07 > > > -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 > > > +Last-Modified: 2020-12-17 > > > +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, > > > 2020-12-17 > > > Content-Type: text/x-rst > > > --- > > > > > > @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo > > > Linux distribution. > > > Changes > > > ======= > > > > > > +v2.2 > > > +  Added "Gentoo Keyserver" section under "Gentoo Infrastructure" > > > chapter. > > > + > > > v2.1 > > >   A requirement for an encryption key has been added, in order to > > > extend > > >   the GLEP beyond commit signing and into use of OpenPGP for dev- > > > to-dev > > > @@ -135,8 +138,11 @@ their primary key). > > > > > > 5. Encrypted backup of your secret keys. > > > > > > +Gentoo Infrstructure > > > +==================== > > > + > > > Gentoo LDAP > > > -=========== > > > +----------- > > > > > > All Gentoo developers must list the complete fingerprint for > > > their primary > > > keys in the "``gpgfingerprint``" LDAP field. It must be exactly > > > 40 hex digits, > > > @@ -147,6 +153,16 @@ of the fingerprint field. In any place that > > > presently displays > > > the "``gpgkey``" field, the last 16 hex digits of the fingerprint > > > should > > > be displayed instead. > > > > > > +Gentoo Keyserver > > > +---------------- > > > + > > > +Gentoo infrastructure uses a keyserver that is isolated from the > > > SKS pool. > > > +This keyserver is restricted to accepting uploads from > > > authorized Gentoo hosts. > > > +A script is provided on dev.gentoo.org to allow developers to > > > upload their > > > +keys. This upload is required in addition to uploading to the > > > SKS pool. > > > + > > > +``gpg --export KEYID | ssh dev.gentoo.org > > > /usr/local/bin/openpgp-key-upload`` > > > + > > > Backwards Compatibility > > > ======================= > > > > > > -- > > > 2.30.0.rc0 > > > > > > > > > > Thanks for doing this! You beat me to the punch. I was going to try > > getting to > > it tomorrow. > > > > It may be good to also change step 7 under "Bare minimum > > requirements" to read: > > > >      7. Upload your key to the Gentoo Keyserver before usage! > > > > It'd give skimmers a trigger to look for the Gentoo keyserver info. > > Sure, happy to make that change. > > > We might want to add "Upload to the SKS or some other public PGP > > pool" under > > "Recommendations", but that's probably beyond the scope of the > > document now. > > I think it makes sense to move the SKS instruction to the > recommendations section. > > > Lastly, should we have a link to the step-by-step guide? [1] > > > > [1]: > > https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys > > I'm not sure I like the idea of referring the user to a wiki article > in the GLEP. What do others think of this? > > If others agree, please propose some language/location to insert it, > or send a patch of your own (feel free to use my patch as a starting > point). > I think we should actually have some dedicated info page purely for Infra keyserver. Possibly by replacing the index of https://keys.gentoo.org. Infra will look into it. -- Best regards, Michał Górny