From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1R9JnW-0001wN-Sz for garchives@archives.gentoo.org; Thu, 29 Sep 2011 16:49:25 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 699F121C0C5; Thu, 29 Sep 2011 16:49:07 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4EED821C03F for ; Thu, 29 Sep 2011 16:48:57 +0000 (UTC) Received: from localhost (unknown [50.55.67.221]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: titanofold) by smtp.gentoo.org (Postfix) with ESMTPSA id 9B7711B400E for ; Thu, 29 Sep 2011 16:48:56 +0000 (UTC) Date: Thu, 29 Sep 2011 16:48:35 +0000 From: "Mr. Aaron W. Swenson" To: gentoo-project@lists.gentoo.org Subject: Re: [gentoo-project] Re: [gentoo-dev] Manifest signing Message-ID: <20110929164834.GB32072@atlas> Mail-Followup-To: gentoo-project@lists.gentoo.org References: <4E848879.2050100@gentoo.org> <4E848916.7010002@gentoo.org> <4E848ABF.7060308@gentoo.org> <201109291223.09032.vapier@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="V0207lvV8h4k8FAm" Content-Disposition: inline In-Reply-To: <201109291223.09032.vapier@gentoo.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: X-Archives-Hash: 250da0362bd1d29e3f6ba44f349b07f6 --V0207lvV8h4k8FAm Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 29, 2011 at 12:23:08PM -0400, Mike Frysinger wrote: > On Thursday, September 29, 2011 11:11:59 Patrick Lauer wrote: > > On 09/29/11 17:04, Tony "Chainsaw" Vroon wrote: > > > On 29/09/11 16:02, Anthony G. Basile wrote: > > >> Is there any chance that we can agree to reject > > >> unsigned manifests? Possibly a question for the Council to adjudica= te? > > >=20 > > > I am happy to back a mandatory signing policy for the main gentoo-x86 > > > tree. This is a simple yes or no question that the council can vote o= n. > >=20 > > As previously discussed it would be nice to have some basic key policies > > in place for that - they can be changed at any later time, but for now > > we could agree on basic parameters like, say - > >=20 > > at least 1024bit key length > > at least 6 months validity from creation > > one or more algorithms (initially DSA signatures and SHA1 hashing) >=20 > there's nothing to decide as it was already outlined long ago in the docs: > http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=3D2&chap= =3D6 >=20 > if you want to *refine* that, then that's a different issue. but the dev= s=20 > already have all the info they need to start signing now. > -mike Well, there's a bit more to it than that. 'repoman' must enforce the usage of keys or die if it can't. Further, it needs to allow the selection of a key if it can't determine which to use. I was hit by this last night. Instead of dying and saying that I chose to sign but it couldn't determine which secret key to use (I recently generated a new key), it just disabled FEATURES=3D"sign" and committed anyway. Also, the Dev Handbook only says 'can', it needs to be changed to 'must'. I'd also drop the bit about expiration. Instead, I'd change it to read "expires no sooner than 6 months". You know, to give the key a moment to be recognized by some people, perhaps even marginally trusted by someone. What really matters is that it is an unexpired, valid key. --=20 Mr. Aaron W. Swenson Pseudonym: TitanOfOld Gentoo Developer --V0207lvV8h4k8FAm Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iF4EAREIAAYFAk6EoWIACgkQVxOqA9G7/aAzHwEAhANiagTEsjLxUp3fO4j0rZFA 6Tk6PmB15Cg5rXSbY04BAJ5yIg7EyPCXgjAHgrvMkvCKQTGHsXgI3i5FEmu4cGLo =P0fo -----END PGP SIGNATURE----- --V0207lvV8h4k8FAm--