From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 368EE138359 for ; Tue, 6 Oct 2020 18:17:29 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 53B3DE0878; Tue, 6 Oct 2020 18:17:25 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0F388E05C1 for ; Tue, 6 Oct 2020 18:17:25 +0000 (UTC) Received: from grubbs.orbis-terrarum.net (localhost [127.0.0.1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 44ACD340E23 for ; Tue, 6 Oct 2020 18:17:24 +0000 (UTC) Received: (qmail 6185 invoked by uid 10000); 6 Oct 2020 18:17:23 -0000 Date: Tue, 6 Oct 2020 18:17:23 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH v2 4/6] app-crypt/openpgp-keys-miniupnp: Package keys used by miniupnp upst Message-ID: References: <20201006121050.106011-1-mgorny@gentoo.org> <20201006121050.106011-4-mgorny@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="dJYoYR7BBxNWbWWH" Content-Disposition: inline In-Reply-To: <20201006121050.106011-4-mgorny@gentoo.org> X-Archives-Salt: f62bdb85-5a87-4596-b768-d50b1afe5da7 X-Archives-Hash: fb164cb9eeac8ddc5cef57f8a3a4788f --dJYoYR7BBxNWbWWH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable While I'm absolutely in favour of the overall intent here, I'm not so sure of the design. I'm worried about the proliferation of tiny packages just to convey the keys; and how versioning should work if upstream rotates their keys. I picked this message in the thread to respond to, because it was clearest that this could break when the keys are rotated. The old releases might not be verifiable with the new keys. Additionally: - not all upstream providers ship .asc files of their keys - some upstreams use signed DIGESTS files rather than directly signing the distfiles (esp. where distfiles are larger) Can we instead: Inside the ebuild and/or metadata.xml: convey:=20 1. URL(s) to fetch keys, incl a keyserver support 2. Full key fingerprint --=20 Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robbat2@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 --dJYoYR7BBxNWbWWH Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it. iQKTBAABCgB9FiEEveu2pS8Vb98xaNkRGTlfI8WIJsQFAl98tLJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJE RUJCNkE1MkYxNTZGREYzMTY4RDkxMTE5Mzk1RjIzQzU4ODI2QzQACgkQGTlfI8WI JsQLPBAAolqIMZ5s+sRzDfuODhmiIed+TscGVAjO7y5BemfPbOSDcnu/nBVIXghr SM9n0YgXcJz7uvtWVSY/o3QmLmf0Z/pQe7JIivtQbSiXVgi5UN2jp8p3SUMybN+Q 93Dvjg2roTapsdBVxCThc3++Oo2K9edbYPBdVynu+J8+7/gTr2YVyvqHNmx/H2Bn YIW6WaIsMyz/sT4jCc/4P0VST3VUax7mUc4Ojce0+MjjCNJc7073wIk51XPfQrEC 0Zu2VHWog06K3CRqmKTYaLdJrngpz0zhdqOaWgy7/XhnoEsBQtaQ8n1XV3aRNmNP BRZrQUMlZiz7WGrFB9Z1A4XOkTgtwGpYQaR9o9rewGarz9W8m46IIVX+o9L8/7Wm NeZeuixkmAhoHjZ9AXuErHuRDcDwOodquTboJp60hHWyDwN5BOP2wUL+X7955q3j E1uazhhbSfl3iWYc2EjTxNZ2QkVBOwvgAiN9d6PygpL03K+pk9Uz8r6qco9+w7MR TjTcqEADh2z2et0lX8pJEooDxc0NtSude3SVnQvJA1xzr+JBHQ7exQjl1Xc6Lvb8 B1ISXsu6UM6wq/MNkjMx1YirTxbbz3eMn/Q0J3V/q6mE0CvsA1NnMxzgIKamwjDl KrKNW6eoqPZdwN2IxmXh6/v+4qvt9PxX6CzsN32aJlpmQxohdlQ= =BP0q -----END PGP SIGNATURE----- --dJYoYR7BBxNWbWWH--