1 |
Just checking: Brian (dol-sen), Rick (Zero_Chaos), Robin (robbat2) - are |
2 |
all the issues resolved here? |
3 |
|
4 |
Please see some quotes below for what might appear to indicate some |
5 |
further changes to the GLEP. The key distribution part doesn't seem to |
6 |
be fully ready, but feel free to correct me. |
7 |
|
8 |
Thank you for working on this, I think better security there is |
9 |
important for Gentoo. |
10 |
|
11 |
By the way, one more suggestion that came up is splitting the GLEP into two: |
12 |
|
13 |
1) individual developer key and gpg guidelines (looks like this could be |
14 |
approved now) |
15 |
|
16 |
2) distro-wide key/keyring distribution mechanism/policy (looks like it |
17 |
may need more work) |
18 |
|
19 |
Paweł |
20 |
|
21 |
On 11/16/13, 12:43 AM, Brian Dolbec wrote: |
22 |
> On Fri, 2013-11-15 at 16:25 -0500, Rick "Zero_Chaos" Farina wrote: |
23 |
>> On 11/15/2013 02:37 PM, Robin H. Johnson wrote: |
24 |
>>> On Fri, Nov 15, 2013 at 01:51:32PM -0500, Rick "Zero_Chaos" Farina wrote: |
25 |
>>>> On 11/15/2013 01:23 AM, Robin H. Johnson wrote: |
26 |
>>> There are a few parts to it: |
27 |
>>> - gentoo-keys (lead by dolsen) |
28 |
>>> This is a mostly infra-level tool that takes the data in LDAP, does |
29 |
>>> validation, mixes in the keys from keyserver/homedir, and generates |
30 |
>>> keyrings. |
31 |
> |
32 |
> Not quite right. The gentoo-keys project is a repository with two main |
33 |
> components. |
34 |
> |
35 |
> 1) gkeyldap cli and python pkg. [...] |
36 |
> |
37 |
> 2) gkey cli and python pkg. [...] |
38 |
> [...] |
39 |
>> I think this is a great idea, BUT, we would need to handle "the latest |
40 |
>> gentoo-dev-keyring" like portage updates used to be handled. If there |
41 |
>> is an update, warn the user, and if gentoo-dev-keyring is in the update |
42 |
>> list it *must* be merged first. Again, these implementation details |
43 |
>> don't necessarily have to be in the glep, but we need to make sure as we |
44 |
>> go through that we account for such things. My day job is pretty much |
45 |
>> running man in the middle on things and laughing at the result, so I'm |
46 |
>> super excited to see all this hard work going in. |
47 |
>> [...] |
48 |
>>> TODO: |
49 |
>>> We need a way for a given repo, once installed, to specify what keyrings |
50 |
>>> to use for validation. I'm thinking of adding it to |
51 |
>>> metadata/layout.conf. |
52 |
>>> The main gentoo-x86 repo would have for example: |
53 |
>>> keyrings = gentoo-master gentoo-releng gentoo-dev |
54 |
>>> |
55 |
>>> Overlays might have: |
56 |
>>> keyrings = gentoo-overlay-mysql |
57 |
>>> |
58 |
>> Love it. This should probably make it into the glep. |
59 |
>> |
60 |
> Sounds good to me. |
61 |
> |
62 |
> P.S. OH my, this turned out to be along reply :/ |
63 |
> But I hope it clears up any questions people may have about it. |
64 |
> It is a work in progress... |