1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 08/01/2011 05:51 PM, Patrick Lauer wrote: |
5 |
> On 07/29/11 19:55, Fabian Groffen wrote: |
6 |
>> With a bit more than a week ahead of us for the next council |
7 |
>> meeting, I'd like to start preparing the agenda, given that current |
8 |
>> practice still is to send it out a week in advance. |
9 |
> |
10 |
> A small thing which I've brought up for discussion twice (and both |
11 |
> times it was mostly ignored), but which I'd really like to see |
12 |
> discussed or even agreed on: |
13 |
> |
14 |
> A simple policy making signed commits mandatory, plus a simple policy |
15 |
> on key length, permissible encryption/signature algorithms, and a |
16 |
> well-defined place where (public) keys are made available for |
17 |
> verifying and checking the validity of the signatures. |
18 |
> |
19 |
> |
20 |
> It would greatly improve the current status quo and remove any |
21 |
> ambiguity which might motivate people to use a 4-bit key for signing |
22 |
> to be within the letter of the law. |
23 |
> |
24 |
> |
25 |
> Thanks, |
26 |
> |
27 |
> Patrick |
28 |
> |
29 |
|
30 |
I second this. |
31 |
|
32 |
The Developer's Handbook specifies[1] that a DSA key with a minimum 1024 |
33 |
bit length is required, but not whether 'DSA and Elgamal' or 'DSA (sign |
34 |
only)' should be used, and it does not specify to which key server the |
35 |
key must be submitted. |
36 |
|
37 |
Inquiring minds need to know. |
38 |
|
39 |
- - Aaron |
40 |
|
41 |
[1] http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6 |
42 |
-----BEGIN PGP SIGNATURE----- |
43 |
Version: GnuPG v2.0.17 (GNU/Linux) |
44 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
45 |
|
46 |
iF4EAREIAAYFAk43L1MACgkQCOhwUhu5AEkRIQD9EEn6+lXi5CHmqxLh0ltCQY41 |
47 |
w9Kh+Ck2KOnH+QDPUvMA/2gL13ROr6fZDgyufKrS6yCA4LFxkigs2d0hAkw9V6ce |
48 |
=Tm3U |
49 |
-----END PGP SIGNATURE----- |