1 |
On 09/29/11 17:04, Tony "Chainsaw" Vroon wrote: |
2 |
> On 29/09/11 16:02, Anthony G. Basile wrote: |
3 |
>> Is there any chance that we can agree to reject |
4 |
>> unsigned manifests? Possibly a question for the Council to adjudicate? |
5 |
> |
6 |
> I am happy to back a mandatory signing policy for the main gentoo-x86 |
7 |
> tree. This is a simple yes or no question that the council can vote on. |
8 |
|
9 |
As previously discussed it would be nice to have some basic key policies |
10 |
in place for that - they can be changed at any later time, but for now |
11 |
we could agree on basic parameters like, say - |
12 |
|
13 |
at least 1024bit key length |
14 |
at least 6 months validity from creation |
15 |
one or more algorithms (initially DSA signatures and SHA1 hashing) |
16 |
|
17 |
Otherwise some funny person will use a 4-bit key that expires tomorrow |
18 |
just to point out the missing details ... |
19 |
|
20 |
|
21 |
Another point: Currently we do NOT sign eclasses and profiles. |
22 |
So before such a policy becomes mandatory we need to figure out how to |
23 |
handle that, otherwise we can't enforce it |