From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1R9IrK-00028s-2g for garchives@archives.gentoo.org; Thu, 29 Sep 2011 15:49:14 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0719DE001E; Thu, 29 Sep 2011 15:49:02 +0000 (UTC) Received: from mail-bw0-f53.google.com (mail-bw0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id B28B9E05A1 for ; Thu, 29 Sep 2011 15:48:49 +0000 (UTC) Received: by bkbzt12 with SMTP id zt12so1044827bkb.40 for ; Thu, 29 Sep 2011 08:48:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=m/5QQbHhyjwXZqTfyBDF0m8aeQkYP0w4gWNE0RhJ1do=; b=SpId/OzcxJxGdpxYe6qmlzFyiFdE0Ba9KTtY9S39N9eTJEiocWwHjDsyQieMo8K0Xj cWgGYo17ax83Qb0Q/3FFSizScushQX/92HVI20yky97BcTm3SJV1lE2Z1+DLjBMwONP5 5AjbQ9ZFSTus19XtQ3BlFtGYS1QktXJQcKnE0= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 Received: by 10.204.139.219 with SMTP id f27mr7570629bku.288.1317311328748; Thu, 29 Sep 2011 08:48:48 -0700 (PDT) Sender: freemanrich@gmail.com Received: by 10.204.72.195 with HTTP; Thu, 29 Sep 2011 08:48:48 -0700 (PDT) In-Reply-To: <4E848ABF.7060308@gentoo.org> References: <4E848879.2050100@gentoo.org> <4E848916.7010002@gentoo.org> <4E848ABF.7060308@gentoo.org> Date: Thu, 29 Sep 2011 11:48:48 -0400 X-Google-Sender-Auth: L1sYY_7UmJyKwpaPxU2KBabsitc Message-ID: Subject: Re: [gentoo-project] Re: [gentoo-dev] Manifest signing From: Rich Freeman To: gentoo-project@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: X-Archives-Hash: b45e9a4ad78cbf5ac093a8606a5ba55c On Thu, Sep 29, 2011 at 11:11 AM, Patrick Lauer wrote: > Otherwise some funny person will use a 4-bit key that expires tomorrow > just to point out the missing details ... >
I think this is becoming a big problem with Gentoo. There is something to be said for planning, but I think we have a tendency to bikeshed things to death before we do ANYTHING. All because when somebody goes and uses a 4-bit key we feel some kind of paralysis about taking action. People that take obvious steps to skirt policies should simply be disciplined. I'm not talking about the guy with an old 512-bit key or whatever, or people that change after being asked nicely to do so. When it is obvious that people are just messing with the distro to prove a point then they are excluding themselves from the community. We allow ourselves to be held hostage to anybody who can find a loophole in the rules, and that just leads to 40 bazillion rules and refusal to move forward until we have at least 50 rules to start with. If a rule is stupid just say it. If you think a council member who voted for it is stupid, be polite but call them on it. What we don't do is just ignore the rules, or try to end-run them.
I'd just encourage the council to not wait for the perfect specification to move forward with this or anything else. I applaud efforts like PMS and I think they add value. However, specs/rules are a tool to serve the community, and not enslave us. Why not just keep this simple: 1. Key >= 1024 bits. 2. Validity >= 6 months. 3. Signature readable by stable gpg in tree. Rich