From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A3FE71581F3 for ; Fri, 29 Nov 2024 19:02:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 816F8E080E; Fri, 29 Nov 2024 19:02:31 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0AF26E07EA for ; Fri, 29 Nov 2024 19:02:31 +0000 (UTC) Message-ID: <8479617a-d206-4387-a49b-d1f8ee304a2a@gentoo.org> Date: Fri, 29 Nov 2024 14:02:26 -0500 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [gentoo-dev] [PATCH v2 1/2] sec-keys.eclass: new eclass To: gentoo-dev@lists.gentoo.org References: <20241127203042.1503004-1-eschwartz@gentoo.org> <20241128043320.1562802-1-eschwartz@gentoo.org> <20241128043320.1562802-2-eschwartz@gentoo.org> <0296ba81-8379-4030-896c-4722cc768d4a@gentoo.org> Content-Language: en-US From: Eli Schwartz Autocrypt: addr=eschwartz@gentoo.org; keydata= xjMEZmeRNBYJKwYBBAHaRw8BAQdAYNZ7pUDWhx1i2f3p6L2ZLu4FcY18UoeGC04Gq/khqwfN I0VsaSBTY2h3YXJ0eiA8ZXNjaHdhcnR6QGdlbnRvby5vcmc+wpYEExYKAD4WIQTvUdMIsc4j CIi+DYTqQj6ToWND8QUCZoRL+gIbAwUJBKKGAAULCQgHAwUVCgkICwUWAgMBAAIeBQIXgAAK CRDqQj6ToWND8aB5AP9r4kB691nNtNwKkdRiOdl7/k6WYzokvHvDamXxRJ0I+gEAjZqR5V8y mfR3fy2Z+r2Joeqdt3CIv5IwPs64spBvigLOOARmZ5E0EgorBgEEAZdVAQUBAQdATT46Z06b 1X9xjXFCYFxmq/Tj3tSEKZInDWTpoHQp4l8DAQgHwn4EGBYKACYWIQTvUdMIsc4jCIi+DYTq Qj6ToWND8QUCZmeRNAIbDAUJBKKGAAAKCRDqQj6ToWND8a2RAP40KPfbfoiZAJW5boFmFJ3G TUBDJRh9CWHyaPqq2PN+0wD/R07oLzfnJUN209mzi9TuTuHjeZybysyqXSw4MAxkMAY= In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------tNbPrE7adapg3FMs5qBsSdo5" X-Archives-Salt: 50b972f5-3940-4650-bf61-277cfe68bfce X-Archives-Hash: fe47859c434e50a9214cf70aa1d4b869 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------tNbPrE7adapg3FMs5qBsSdo5 Content-Type: multipart/mixed; boundary="------------t8sgxBdUAK29sP81XGn2Ikxc"; protected-headers="v1" From: Eli Schwartz To: gentoo-dev@lists.gentoo.org Message-ID: <8479617a-d206-4387-a49b-d1f8ee304a2a@gentoo.org> Subject: Re: [gentoo-dev] [PATCH v2 1/2] sec-keys.eclass: new eclass References: <20241127203042.1503004-1-eschwartz@gentoo.org> <20241128043320.1562802-1-eschwartz@gentoo.org> <20241128043320.1562802-2-eschwartz@gentoo.org> <0296ba81-8379-4030-896c-4722cc768d4a@gentoo.org> In-Reply-To: --------------t8sgxBdUAK29sP81XGn2Ikxc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/29/24 1:31 PM, Robin H. Johnson wrote: > From a technical perspective, that depends on the keyserver design. >=20 > But the canonical "why" is GDPR Article 17 - right-to-erasure. >=20 > Hockeypuck even ships a script to make it easy for admins to delete > keys: > https://github.com/hockeypuck/hockeypuck/blob/5cc0fffe46f44986cbf78a554= ab482e3baaa5143/contrib/docker-compose/standalone/README.md?plain=3D1#L17= 7-L190 >=20 > There is another more obvious reason why a key might vanish from a > keyserver: ephemeral & eventually consistent state Indeed, but that just reinforces my point that this doesn't represent a failing test. :) GDPR argumentation aside and practicalities alone, PGP keys for developers of software packaged in linux distributions *cannot* be forgotten, period, since they exist in tons of places including committed to git as *.asc files in multiple distros' package sources. And user-requested deletion would anyways not be a test failure as the package is plainly fine and can continue to be verified. It's possible for us to be independently asked to make a commit that removes the key in question from ::gentoo, but that's a separate story. Ephemeral state is an even greater indication of why refreshes should be expected to fail without failing the test :) since an ephemeral state that is not yet consistent does not mean the key has disappeared or that it needs to be updated. --=20 Eli Schwartz --------------t8sgxBdUAK29sP81XGn2Ikxc-- --------------tNbPrE7adapg3FMs5qBsSdo5 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTnFNnmK0TPZHnXm3qEp9ErcA0vVwUCZ0oPwgUDAAAAAAAKCRCEp9ErcA0vV1Yw AQDuZEuWWcUE6fa4DPdlS180hqpKizEuRCtfL9VCHygCtAEAoByq5LPhi5afPW09sALe3Xa5/cqZ S3OiouyDVbY9nAg= =GB38 -----END PGP SIGNATURE----- --------------tNbPrE7adapg3FMs5qBsSdo5--