From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5B7151385A6 for ; Wed, 30 Oct 2013 05:36:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 605D5E0A70; Wed, 30 Oct 2013 05:36:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 870F9E09F9 for ; Wed, 30 Oct 2013 05:36:41 +0000 (UTC) Received: from [192.168.1.210] (S010600222de111ff.vc.shawcable.net [96.49.5.156]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dolsen) by smtp.gentoo.org (Postfix) with ESMTPSA id 7F36833EEE2 for ; Wed, 30 Oct 2013 05:36:40 +0000 (UTC) Message-ID: <1383111347.22694.113.camel@big_daddy.dol-sen.ca> Subject: Re: [gentoo-project] Re: [gentoo-dev-announce] Call for agenda items - pgp key handling From: Brian Dolbec To: gentoo-project@lists.gentoo.org Date: Tue, 29 Oct 2013 22:35:47 -0700 In-Reply-To: <527053EF.9080200@gentoo.org> References: <1701685.NthhqudeZE@kailua> <527053EF.9080200@gentoo.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-jiTQiT/d9utOI53BwqbT" X-Mailer: Evolution 3.6.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org Mime-Version: 1.0 X-Archives-Salt: a60c230f-fb32-4d56-8661-ea00bc1b7435 X-Archives-Hash: 4db5c8fbeb48c525793b191084bc6265 --=-jiTQiT/d9utOI53BwqbT Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ++++++++++... I have been working on the gentoo-keys project [1] to actively maintain the gentoo gpg keys installation, validation, etc. for users, devs and servers. =20 On Wed, 2013-10-30 at 08:33 +0800, Patrick Lauer wrote: > On 10/29/2013 09:23 PM, Andreas K. Huettel wrote: > > In two weeks from now, the council will again have its regular monthly= =20 > > meeting. Now is the time to raise and prepare items that the council sh= ould=20 > > put on the agenda to discuss or vote on. >=20 > Request: A minimal policy for pgp keys and key handling (for commit signi= ng) >=20 > - Define the allowed key parameters: > e.g. 2048bit RSA or DSA, validity at least 6 months >=20 I have it to a point that it would be easy to create a template to semi-automate the process of creating/updating the keys. But a spec is needed for it. That spec can be another file that can be updated and downloaded automatically when ever that functionality is used. No need for a new release of the app with the changes. > - Define a canonical location (e.g. in LDAP and on at least one > keyserver) where every dev's key is accessible (at least to gentoo infra) >=20 I have code done which I run from woodpecker (or some other ldap accessible system) for mining the gpg keys from ldap and creates the seed file from that info. Last I test ran it, there were still a number of devs with mismatched keys and fingerprints. and one without a gpg key or fingerprint. Currently it is a little awkward to run from my dev space due to the +x restriction. It has to be run via "python2.x ldap-seeds" currently. Setting up some automation or having it installed is a next step that needs discussion. It will have a python interface that can be incorporated into last summer's GSOC projects that mgorny and dastergon were working on, which could do entry validation and trigger the seed file updates. > - Define a location of a (signed, autoupdated) global keyring that is > accessible to all interested parties (e.g. > http://www.gentoo.org/keyring.txt ) >=20 The seed file will be made available similar to layman's repositories.xml list=20 eg: https://api.gentoo.org/overlays/repositories.xml =46rom the seed lists available there, any or all the dev or relaease media keys can be installed (using the seed info to get the key from the key server, check the fingerprints match, etc..)) the cli interface will have convenience functions for checking and validating the release media and other downloads. I am in the process of updating mirrorselect's code to get it's lists from: MIRRORS_3_XML =3D 'https://api.gentoo.org/mirrors/distfiles.xml' MIRRORS_RSYNC_DATA =3D 'https://api.gentoo.org/mirrors/rsync.xml' > That's the first stage that can be done now without big problems, and it > can be amended at any later time if there's any deficiencies. > (so if we agree that 2048 bit are not enough we just fix it to 4096 bit > and a three-month migration time) >=20 > With that in place we can make commit signing mandatory (because right > now we don't even have a way to fetch all keys, so it's worse than > useless). Last I was actively working on it, I was about to start coding the git commit validation hook. But got injured/concussion that put that on hold. >=20 > And then as a third stage we can discuss things like, say, disabling > commit access when the key is less than a month valid (after sending > some automated warning mails, yes?) and other ways to make this meaningfu= l. >=20 > But - let's not get carried away in a big debate about how the NSA has > infiltrated the minds of at least three devs, so we need four signatures > on every commit before it goes live, and other unrelated madness. Just > define the minimum set of rules to make signing useful, and then figure > out how to enforce it. >=20 > (As a sidenote, someone might want to figure out how to do remote signed > commits - last time this was discussed I think there were some minor > issues that should be worked out so that we're all not too affected with > workflow changes) >=20 > Thanks, >=20 > Patrick >=20 P.S. I welcome anyone to join in and help with it's development. [1] http://git.overlays.gentoo.org/gitweb/?p=3Dproj/gentoo-keys.git;a=3Dsu= mmary --=20 Brian Dolbec --=-jiTQiT/d9utOI53BwqbT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQF8BAABCgBmBQJScJq0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4Njg4RkQxQ0M3MUMxQzA0RUFFQTQyMzcy MjE0RDkwQTAxNEYxN0NCAAoJECIU2QoBTxfLe9AIAJjIs/kncQwHvg5dTGHFOush zrtInQ5UIiccR1mDhGvDzjKvl8sYmdE9fofThRBUjduOPYE/TyA7KWQbw+Jjb0wn KrCXHzMVdVRAlJ+wo/fWxhYKH+gEHgc9cnYALQZoEQfYmNOshzMbhkfD7z7F1Wmi cKkb7x/0mDkg43+6hUbqfBk6RA48LnPdzH6WRIr5fA3+aGnenaYQXazn/Mwib4Dc aJSED6tlrU+ad3NdeSHVscX4sfjMenkyV4IMMzTMyQw4xP2S9r5mhjFZCtHgj76h s2cR87WnHhj8IR5aKsbyNCDigGr1KDdcaXayAhV4C3G5QlIklTefowpIm62giVU= =bLlk -----END PGP SIGNATURE----- --=-jiTQiT/d9utOI53BwqbT--