| 1 |
++++++++++... |
| 2 |
|
| 3 |
I have been working on the gentoo-keys project [1] to actively maintain |
| 4 |
the gentoo gpg keys installation, validation, etc. for users, devs and |
| 5 |
servers. |
| 6 |
|
| 7 |
On Wed, 2013-10-30 at 08:33 +0800, Patrick Lauer wrote: |
| 8 |
> On 10/29/2013 09:23 PM, Andreas K. Huettel wrote: |
| 9 |
> > In two weeks from now, the council will again have its regular monthly |
| 10 |
> > meeting. Now is the time to raise and prepare items that the council should |
| 11 |
> > put on the agenda to discuss or vote on. |
| 12 |
> |
| 13 |
> Request: A minimal policy for pgp keys and key handling (for commit signing) |
| 14 |
> |
| 15 |
> - Define the allowed key parameters: |
| 16 |
> e.g. 2048bit RSA or DSA, validity at least 6 months |
| 17 |
> |
| 18 |
|
| 19 |
I have it to a point that it would be easy to create a template to |
| 20 |
semi-automate the process of creating/updating the keys. But a spec is |
| 21 |
needed for it. That spec can be another file that can be updated and |
| 22 |
downloaded automatically when ever that functionality is used. No need |
| 23 |
for a new release of the app with the changes. |
| 24 |
|
| 25 |
> - Define a canonical location (e.g. in LDAP and on at least one |
| 26 |
> keyserver) where every dev's key is accessible (at least to gentoo infra) |
| 27 |
> |
| 28 |
|
| 29 |
I have code done which I run from woodpecker (or some other ldap |
| 30 |
accessible system) for mining the gpg keys from ldap and creates the |
| 31 |
seed file from that info. Last I test ran it, there were still a number |
| 32 |
of devs with mismatched keys and fingerprints. and one without a gpg key |
| 33 |
or fingerprint. Currently it is a little awkward to run from my dev |
| 34 |
space due to the +x restriction. It has to be run via "python2.x |
| 35 |
ldap-seeds" currently. |
| 36 |
|
| 37 |
Setting up some automation or having it installed is a next step that |
| 38 |
needs discussion. It will have a python interface that can be |
| 39 |
incorporated into last summer's GSOC projects that mgorny and dastergon |
| 40 |
were working on, which could do entry validation and trigger the seed |
| 41 |
file updates. |
| 42 |
|
| 43 |
|
| 44 |
> - Define a location of a (signed, autoupdated) global keyring that is |
| 45 |
> accessible to all interested parties (e.g. |
| 46 |
> http://www.gentoo.org/keyring.txt ) |
| 47 |
> |
| 48 |
|
| 49 |
The seed file will be made available similar to layman's |
| 50 |
repositories.xml list |
| 51 |
eg: https://api.gentoo.org/overlays/repositories.xml |
| 52 |
|
| 53 |
From the seed lists available there, any or all the dev or relaease |
| 54 |
media keys can be installed (using the seed info to get the key from the |
| 55 |
key server, check the fingerprints match, etc..)) the cli interface |
| 56 |
will have convenience functions for checking and validating the release |
| 57 |
media and other downloads. |
| 58 |
|
| 59 |
|
| 60 |
I am in the process of updating mirrorselect's code to get it's lists |
| 61 |
from: |
| 62 |
MIRRORS_3_XML = 'https://api.gentoo.org/mirrors/distfiles.xml' |
| 63 |
MIRRORS_RSYNC_DATA = 'https://api.gentoo.org/mirrors/rsync.xml' |
| 64 |
|
| 65 |
|
| 66 |
> That's the first stage that can be done now without big problems, and it |
| 67 |
> can be amended at any later time if there's any deficiencies. |
| 68 |
> (so if we agree that 2048 bit are not enough we just fix it to 4096 bit |
| 69 |
> and a three-month migration time) |
| 70 |
> |
| 71 |
> With that in place we can make commit signing mandatory (because right |
| 72 |
> now we don't even have a way to fetch all keys, so it's worse than |
| 73 |
> useless). |
| 74 |
|
| 75 |
Last I was actively working on it, I was about to start coding the git |
| 76 |
commit validation hook. But got injured/concussion that put that on |
| 77 |
hold. |
| 78 |
|
| 79 |
> |
| 80 |
> And then as a third stage we can discuss things like, say, disabling |
| 81 |
> commit access when the key is less than a month valid (after sending |
| 82 |
> some automated warning mails, yes?) and other ways to make this meaningful. |
| 83 |
> |
| 84 |
> But - let's not get carried away in a big debate about how the NSA has |
| 85 |
> infiltrated the minds of at least three devs, so we need four signatures |
| 86 |
> on every commit before it goes live, and other unrelated madness. Just |
| 87 |
> define the minimum set of rules to make signing useful, and then figure |
| 88 |
> out how to enforce it. |
| 89 |
> |
| 90 |
> (As a sidenote, someone might want to figure out how to do remote signed |
| 91 |
> commits - last time this was discussed I think there were some minor |
| 92 |
> issues that should be worked out so that we're all not too affected with |
| 93 |
> workflow changes) |
| 94 |
> |
| 95 |
> Thanks, |
| 96 |
> |
| 97 |
> Patrick |
| 98 |
> |
| 99 |
|
| 100 |
|
| 101 |
P.S. I welcome anyone to join in and help with it's development. |
| 102 |
|
| 103 |
[1] http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-keys.git;a=summary |
| 104 |
|
| 105 |
-- |
| 106 |
Brian Dolbec <dolsen@g.o> |
Archives