On Thu, Sep 29, 2011 at 12:23:08PM -0400, Mike Frysinger wrote:
> On Thursday, September 29, 2011 11:11:59 Patrick Lauer wrote:
> > On 09/29/11 17:04, Tony "Chainsaw" Vroon wrote:
> > > On 29/09/11 16:02, Anthony G. Basile wrote:
> > >> Is there any chance that we can agree to reject
> > >> unsigned manifests?  Possibly a question for the Council to adjudicate?
> > > 
> > > I am happy to back a mandatory signing policy for the main gentoo-x86
> > > tree. This is a simple yes or no question that the council can vote on.
> > 
> > As previously discussed it would be nice to have some basic key policies
> > in place for that - they can be changed at any later time, but for now
> > we could agree on basic parameters like, say -
> > 
> > at least 1024bit key length
> > at least 6 months validity from creation
> > one or more algorithms (initially DSA signatures and SHA1 hashing)
> 
> there's nothing to decide as it was already outlined long ago in the docs:
> http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6
> 
> if you want to *refine* that, then that's a different issue.  but the devs 
> already have all the info they need to start signing now.
> -mike

Well, there's a bit more to it than that. 'repoman' must enforce the usage
of keys or die if it can't. Further, it needs to allow the selection of a
key if it can't determine which to use. I was hit by this last
night. Instead of dying and saying that I chose to sign but it couldn't
determine which secret key to use (I recently generated a new key), it
just disabled FEATURES="sign" and committed anyway.

Also, the Dev Handbook only says 'can', it needs to be changed to
'must'. I'd also drop the bit about expiration. Instead, I'd change it to
read "expires no sooner than 6 months". You know, to give the key a moment
to be recognized by some people, perhaps even marginally trusted by
someone. What really matters is that it is an unexpired, valid key.

-- 
Mr. Aaron W. Swenson
Pseudonym: TitanOfOld
Gentoo Developer