1 |
++++++++++... |
2 |
|
3 |
I have been working on the gentoo-keys project [1] to actively maintain |
4 |
the gentoo gpg keys installation, validation, etc. for users, devs and |
5 |
servers. |
6 |
|
7 |
On Wed, 2013-10-30 at 08:33 +0800, Patrick Lauer wrote: |
8 |
> On 10/29/2013 09:23 PM, Andreas K. Huettel wrote: |
9 |
> > In two weeks from now, the council will again have its regular monthly |
10 |
> > meeting. Now is the time to raise and prepare items that the council should |
11 |
> > put on the agenda to discuss or vote on. |
12 |
> |
13 |
> Request: A minimal policy for pgp keys and key handling (for commit signing) |
14 |
> |
15 |
> - Define the allowed key parameters: |
16 |
> e.g. 2048bit RSA or DSA, validity at least 6 months |
17 |
> |
18 |
|
19 |
I have it to a point that it would be easy to create a template to |
20 |
semi-automate the process of creating/updating the keys. But a spec is |
21 |
needed for it. That spec can be another file that can be updated and |
22 |
downloaded automatically when ever that functionality is used. No need |
23 |
for a new release of the app with the changes. |
24 |
|
25 |
> - Define a canonical location (e.g. in LDAP and on at least one |
26 |
> keyserver) where every dev's key is accessible (at least to gentoo infra) |
27 |
> |
28 |
|
29 |
I have code done which I run from woodpecker (or some other ldap |
30 |
accessible system) for mining the gpg keys from ldap and creates the |
31 |
seed file from that info. Last I test ran it, there were still a number |
32 |
of devs with mismatched keys and fingerprints. and one without a gpg key |
33 |
or fingerprint. Currently it is a little awkward to run from my dev |
34 |
space due to the +x restriction. It has to be run via "python2.x |
35 |
ldap-seeds" currently. |
36 |
|
37 |
Setting up some automation or having it installed is a next step that |
38 |
needs discussion. It will have a python interface that can be |
39 |
incorporated into last summer's GSOC projects that mgorny and dastergon |
40 |
were working on, which could do entry validation and trigger the seed |
41 |
file updates. |
42 |
|
43 |
|
44 |
> - Define a location of a (signed, autoupdated) global keyring that is |
45 |
> accessible to all interested parties (e.g. |
46 |
> http://www.gentoo.org/keyring.txt ) |
47 |
> |
48 |
|
49 |
The seed file will be made available similar to layman's |
50 |
repositories.xml list |
51 |
eg: https://api.gentoo.org/overlays/repositories.xml |
52 |
|
53 |
From the seed lists available there, any or all the dev or relaease |
54 |
media keys can be installed (using the seed info to get the key from the |
55 |
key server, check the fingerprints match, etc..)) the cli interface |
56 |
will have convenience functions for checking and validating the release |
57 |
media and other downloads. |
58 |
|
59 |
|
60 |
I am in the process of updating mirrorselect's code to get it's lists |
61 |
from: |
62 |
MIRRORS_3_XML = 'https://api.gentoo.org/mirrors/distfiles.xml' |
63 |
MIRRORS_RSYNC_DATA = 'https://api.gentoo.org/mirrors/rsync.xml' |
64 |
|
65 |
|
66 |
> That's the first stage that can be done now without big problems, and it |
67 |
> can be amended at any later time if there's any deficiencies. |
68 |
> (so if we agree that 2048 bit are not enough we just fix it to 4096 bit |
69 |
> and a three-month migration time) |
70 |
> |
71 |
> With that in place we can make commit signing mandatory (because right |
72 |
> now we don't even have a way to fetch all keys, so it's worse than |
73 |
> useless). |
74 |
|
75 |
Last I was actively working on it, I was about to start coding the git |
76 |
commit validation hook. But got injured/concussion that put that on |
77 |
hold. |
78 |
|
79 |
> |
80 |
> And then as a third stage we can discuss things like, say, disabling |
81 |
> commit access when the key is less than a month valid (after sending |
82 |
> some automated warning mails, yes?) and other ways to make this meaningful. |
83 |
> |
84 |
> But - let's not get carried away in a big debate about how the NSA has |
85 |
> infiltrated the minds of at least three devs, so we need four signatures |
86 |
> on every commit before it goes live, and other unrelated madness. Just |
87 |
> define the minimum set of rules to make signing useful, and then figure |
88 |
> out how to enforce it. |
89 |
> |
90 |
> (As a sidenote, someone might want to figure out how to do remote signed |
91 |
> commits - last time this was discussed I think there were some minor |
92 |
> issues that should be worked out so that we're all not too affected with |
93 |
> workflow changes) |
94 |
> |
95 |
> Thanks, |
96 |
> |
97 |
> Patrick |
98 |
> |
99 |
|
100 |
|
101 |
P.S. I welcome anyone to join in and help with it's development. |
102 |
|
103 |
[1] http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-keys.git;a=summary |
104 |
|
105 |
-- |
106 |
Brian Dolbec <dolsen@g.o> |