1 |
On 09/29/2011 12:36 PM, Anthony G. Basile wrote: |
2 |
> On 09/29/2011 12:23 PM, Mike Frysinger wrote: |
3 |
>> On Thursday, September 29, 2011 11:11:59 Patrick Lauer wrote: |
4 |
>>> On 09/29/11 17:04, Tony "Chainsaw" Vroon wrote: |
5 |
>>>> On 29/09/11 16:02, Anthony G. Basile wrote: |
6 |
>>>>> Is there any chance that we can agree to reject |
7 |
>>>>> unsigned manifests? Possibly a question for the Council to adjudicate? |
8 |
>>>> I am happy to back a mandatory signing policy for the main gentoo-x86 |
9 |
>>>> tree. This is a simple yes or no question that the council can vote on. |
10 |
>>> As previously discussed it would be nice to have some basic key policies |
11 |
>>> in place for that - they can be changed at any later time, but for now |
12 |
>>> we could agree on basic parameters like, say - |
13 |
>>> |
14 |
>>> at least 1024bit key length |
15 |
>>> at least 6 months validity from creation |
16 |
>>> one or more algorithms (initially DSA signatures and SHA1 hashing) |
17 |
>> there's nothing to decide as it was already outlined long ago in the docs: |
18 |
>> http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6 |
19 |
>> |
20 |
>> if you want to *refine* that, then that's a different issue. but the devs |
21 |
>> already have all the info they need to start signing now. |
22 |
>> -mike |
23 |
> Thanks I didn't know that had made it to the devmanual. I drop my |
24 |
> original request. |
25 |
> |
26 |
> I guess the next step, if we were to take it, would be to have infra |
27 |
> enforce the policy automatically if a commit comes in which isn't signed. |
28 |
> |
29 |
Sorry sent this before getting Mike's email about |
30 |
|
31 |
https://bugs.gentoo.org/377233 |
32 |
|
33 |
-- |
34 |
Anthony G. Basile, Ph.D. |
35 |
Gentoo Linux Developer [Hardened] |
36 |
E-Mail : blueness@g.o |
37 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
38 |
GnuPG ID : D0455535 |