From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 43560138334 for ; Sat, 23 Feb 2019 16:52:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D743AE095F; Sat, 23 Feb 2019 16:52:57 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 94DFBE0949 for ; Sat, 23 Feb 2019 16:52:57 +0000 (UTC) Received: by mail-pf1-f181.google.com with SMTP id s22so2522966pfh.4 for ; Sat, 23 Feb 2019 08:52:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=srywklGHXgKeuNf3p5dH3eYDa2qwjwrQvMmY1AMz7yI=; b=L9jBiTDYg1W5BrxZ4JXhArqufbYrsNFzm7kClHPQ6s7EUzxAp1niz4RQqb1lkHsoAs +qAXps+tPH91R3A7eGOUrL4gpvlm1UmVbtkYzvhWPChhWwjDAk4wJZQj6UYP5LTOrZr5 r0ryHlXRkmwR6ZGMhwUUJpE52KNTR7Y2hHhnWkbWMptbXS4b86Z+LgKH4hsBuLd87vPz BM8cuiFweUqRsZaKpGfK1d5RuIKzp7Mp7+yxtZy81lwitFETNu0Ht32dSUIdW5xAFoUO DAZ5A1A4tnMhsWq0725ix7cJngvrtfhieqwf+R9AmbjD8a0aXBsC+V0b/c73Csi9K+gT gHkw== X-Gm-Message-State: AHQUAubUKBVYGTgS1G5zttO6Su7Ove9OH7RPoCsZ4s8znSUr1paJZkwn p5jOOVh0u3ll7KRSAPdPkRuBoS8TLD5wE2NqqG7cE6Lk X-Google-Smtp-Source: AHgI3IZsAU9kqjPp8kvRXo1NsYHiDAyySKGj3NzQ7ZrjEI6+IEzKPfYuLv4qO47VVJhr774zd5tKqGY097PonvehdVY= X-Received: by 2002:a62:b40b:: with SMTP id h11mr10089153pfn.108.1550940775888; Sat, 23 Feb 2019 08:52:55 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <1550306421.831.16.camel@gentoo.org> <1550393754.1257.5.camel@gentoo.org> <20190217185416.nbgwm266moyk6j2u@gentoo.org> <1550496176.727.9.camel@gentoo.org> <1550606478.912.10.camel@gentoo.org> <1550907966.752.2.camel@gentoo.org> In-Reply-To: From: Rich Freeman Date: Sat, 23 Feb 2019 11:52:44 -0500 Message-ID: Subject: Re: [gentoo-project] [RFC] OpenPGP Authority Keys to provide validity of developer/service keys To: gentoo-project Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 072ccdad-3258-4304-8db0-4b4f5caf8032 X-Archives-Hash: 25fff2b43ad846162299ccae6fa87748 On Sat, Feb 23, 2019 at 11:30 AM Alec Warner wrote: > > - As rich noted, most people have no idea how GPG works and they > just do whatever they are instructed to do. I don't think a lack of > knowledge of GPG indicates "being a troll" nor "lack of technical > competence." I wasn't even arguing ignorance. I've been using PGP since the days when I had to jump through hoops to get around the ITAR restrictions. I don't follow the Gentoo instructions because I don't know how to use gpg. I follow them because the GLEP has a stack of requirements for how a Gentoo gpg key ought to be set up, and since I have no intention of ever using the key for anything else, there is no reason to waste time tailoring it to my own needs. It is no different from my company laptop - I configure it however they want me to and don't use it for anything personal. That isn't because I don't know how to use gmail or Facebook or whatever on it, but simply because it makes no sense for me to get frustrated with whatever the IT policy is of the day when a laptop starts at $120 these days and I can just use my own, and I have independent internet anywhere I go. Likewise the reason I don't sign my email isn't because I don't know how thunderbird/kmail/whatever works. It is because there isn't much intersection between MUAs that fit how I actually access email these days and MUAs that can securely access my key. If my Gentoo email workflow required a more gpg-centric workflow then I'd set up a separate email account just for Gentoo, use Thunderbird or whatever with it on a single desktop, and not look at it much except when I had to. Or maybe if it were supported I'd use a different key for email so that I wouldn't need to go sticking my commit-signing key on every phone/laptop/whatever I use where it could get compromised and end up with some poor soul getting rooted, and I could be more liberal with the email key. Really though I suspect that some of the newer x509-based protocols are better-supported by email clients. I've been involved with Gentoo in one way or another for approaching 15 years and in all that time I think I've had to use gpg for something other than commit-signing maybe once or twice. Nothing wrong with using it, and I accept that some roles might require it more often, but it seems a bit overkill to invest a ton of time in secure email for an organization that almost never needs secure email. No trolling intended. I just don't see the point. If it were required then I would comply. I completely get the spirit vs the letter of the rules, but IMO this doesn't fall under either. As far as I can tell there was never any intent to require an email signing subkey, and this was not a mere accidental omission, at least not on the part of the majority of council members who voted for the policy. -- Rich