From: "Mr. Aaron W. Swenson" <titanofold@gentoo.org>
To: gentoo-project@lists.gentoo.org
Subject: Re: [gentoo-project] Re: [gentoo-dev] Manifest signing
Date: Thu, 29 Sep 2011 17:56:24 +0000 [thread overview]
Message-ID: <20110929175624.GD32072@atlas> (raw)
In-Reply-To: <201109291326.25838.vapier@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 2024 bytes --]
On Thu, Sep 29, 2011 at 01:26:25PM -0400, Mike Frysinger wrote:
> On Thursday, September 29, 2011 12:48:35 Mr. Aaron W. Swenson wrote:
> Well, there's a bit more to it than that. 'repoman' must enforce the
> usage of keys or die if it can't.
>
> there's already bugs open for this. 298605 and 313601. if you want to
> accelerate things, then chip in and update repoman.
>
> > Also, the Dev Handbook only says 'can', it needs to be changed to
> > 'must'.
>
> that is the summary of the article which describes what the page is for,
> not the policy it enforces.
>
I guess I'm getting ahead of myself. We keep referencing that page saying
"here's how you should do it", but then we shoot ourselves in the foot
saying that it isn't policy in the next breath.
> > I'd also drop the bit about expiration. Instead, I'd change it to read
> > "expires no sooner than 6 months". You know, to give the key a moment
> > to be recognized by some people, perhaps even marginally trusted by
> > someone.
>
> i'm fine with extending the length of the key. i think last time this
> came up, so was everyone else. the point was more disallowing keys that
> never expire.
I agree with that. The key should have an expiration. (I said something
different to Mr. Vroon not too long ago.) We don't want a trusted key
sticking around forever after a dev leaves us. It should be long enough to
not be an inconvenience. Five years is the general recommendation. I'd say
the average Gentoo Dev lifespan. (Do we even have stats on that?)
> but this doesn't stop anyone from signing their manifests today.
No, it certainly doesn't.
> > What really matters is that it is an unexpired, valid key.
>
> no, what matters is that the key is unexpired/valid at the time the
> signature was made, and not revoked after that (simply because it
> expired ... revoking because of compromise is obviously OK).
That's what I meant.
--
Mr. Aaron W. Swenson
Pseudonym: TitanOfOld
Gentoo Developer
[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]
next prev parent reply other threads:[~2011-09-29 17:57 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4E848879.2050100@gentoo.org>
2011-09-29 15:04 ` [gentoo-project] Re: [gentoo-dev] Manifest signing Tony "Chainsaw" Vroon
2011-09-29 15:11 ` Patrick Lauer
2011-09-29 15:48 ` Rich Freeman
2011-09-29 16:09 ` Tony "Chainsaw" Vroon
2011-09-29 16:18 ` Anthony G. Basile
2011-09-29 16:31 ` Mike Frysinger
2011-09-29 16:59 ` Mr. Aaron W. Swenson
2011-09-29 17:17 ` Mike Frysinger
2011-09-29 16:23 ` Mike Frysinger
2011-09-29 16:36 ` Anthony G. Basile
2011-09-29 16:38 ` Anthony G. Basile
2011-09-29 16:48 ` Mr. Aaron W. Swenson
2011-09-29 17:26 ` Mike Frysinger
2011-09-29 17:56 ` Mr. Aaron W. Swenson [this message]
2011-09-29 16:28 ` Ciaran McCreesh
2011-09-29 19:43 ` Robin H. Johnson
2011-09-29 20:00 ` Markos Chandras
2011-09-29 20:57 ` Robin H. Johnson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110929175624.GD32072@atlas \
--to=titanofold@gentoo.org \
--cc=gentoo-project@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox