| 1 |
On 12/21/2015 04:21 AM, Ryan Hill wrote: |
| 2 |
> On Sun, 13 Dec 2015 19:00:45 -0800 |
| 3 |
> Brian Dolbec <dolsen@g.o> wrote: |
| 4 |
> |
| 5 |
> |
| 6 |
>> But, one of the biggest things keeping me from doing more work on it |
| 7 |
>> when I do have some time, is the fact that barely any of the devs seem |
| 8 |
>> to care (other than the OP, who just seems to bitch about everything |
| 9 |
>> not working for him). Since the GLEP 63 spec has been approved. |
| 10 |
>> Barely any of the gentoo developers have even tried to update their gpg |
| 11 |
>> key or generate a new one that does meet the spec. For that reason, I |
| 12 |
>> have not endeavored to get more done in it. I've been trying to |
| 13 |
>> keep the gentoo-devs seed file reasonably up to date, but since there |
| 14 |
>> are few devs actually fixing or generating new keys, it is not needed |
| 15 |
>> that often. In fact weeks go by before there is a change in LDAP in |
| 16 |
>> regards to gpg keys. |
| 17 |
>> |
| 18 |
>> As Andrew pointed out in another reply, there is a fairly decent |
| 19 |
>> document about generating new gpg keys either directly using gpg or |
| 20 |
>> using gkeys-gen (gkeys-gen-9999) has the most troublesome bugs fixed in |
| 21 |
>> it btw). |
| 22 |
> It's a little difficult for people to generate new keys with gkeys-gen when |
| 23 |
> the version of gkeys-gen in the tree is completely and utterly broken, and has |
| 24 |
> been for almost a year now. |
| 25 |
Wiki says: |
| 26 |
|
| 27 |
"In this guide we are going to show you how to create a GLEP 63 |
| 28 |
<https://wiki.gentoo.org/wiki/GLEP:63> based OpenPGP Key using |
| 29 |
app-crypt/gkeys-gen |
| 30 |
<https://packages.gentoo.org/packages/app-crypt/gkeys-gen> tool which is |
| 31 |
the official way of managing OpenPGP keys in the Gentoo Infrastructure." |
| 32 |
|
| 33 |
So either the documentation is wrong, or we're supposed to use a broken |
| 34 |
tool. |
| 35 |
|
| 36 |
Interesting challenge! |
| 37 |
> The last time I tried to make a new key it spit |
| 38 |
> out a bunch of errors and tried to put data in $HOME/~/gkeys-user/gpghome. |
| 39 |
> Like it didn't expand the tilde, but made a directory literally named '~'. I'm |
| 40 |
> supposed to use this for security sensitive data? You want me to use a |
| 41 |
> potentially unstable live ebuild instead? Well, no, that's not gonna happen. |
| 42 |
It gets even better when you try to read the code. But, not to worry - |
| 43 |
it's actually pretty easy. Took me only about 4h to combine the |
| 44 |
fragments together ... |
| 45 |
|
| 46 |
|
| 47 |
So, first part of the puzzle: |
| 48 |
https://wiki.gentoo.org/wiki/GLEP:63 |
| 49 |
|
| 50 |
Build a gpg.conf with the suggestions there. |
| 51 |
|
| 52 |
Now read http://www.gnupg.org/gph/en/manual.html ... well, the |
| 53 |
interesting part is: |
| 54 |
|
| 55 |
""" |
| 56 |
$ gpg --full-gen-key |
| 57 |
|
| 58 |
Your selection? 4 |
| 59 |
What keysize do you want? (2048) 4096 |
| 60 |
Key is valid for? (0) 36m |
| 61 |
""" |
| 62 |
Those are the required base parameters, all other questions are |
| 63 |
identifier (name/email). It'll take a minute or five to collect enough |
| 64 |
entropy. |
| 65 |
|
| 66 |
Now you want to generate a subkey (where ${keyid} is the keyid of the |
| 67 |
main key): |
| 68 |
|
| 69 |
""" |
| 70 |
$ gpg --edit-key ${keyid} |
| 71 |
gpg> addkey |
| 72 |
Your selection? 4 |
| 73 |
What keysize do you want? (2048) 4096 |
| 74 |
Key is valid for? (0) 12m |
| 75 |
""" |
| 76 |
and maybe a revocation certificate: |
| 77 |
""" |
| 78 |
$ gpg --output revoke.asc --gen-revoke ${keyid} |
| 79 |
""" |
| 80 |
|
| 81 |
What I did then was to export the subkey, and keep the main key |
| 82 |
somewhere safe. Then import the subkey on the victim machine(s) used for |
| 83 |
gentoo committery. |
| 84 |
|
| 85 |
Now you need to read the gpg docs again and figure out that you need |
| 86 |
"gpg --send-keys" to upload the key to the public keyservers. |
| 87 |
|
| 88 |
Then you wait a few minutes for it to become visible, you can check that |
| 89 |
on http://pool.sks-keyservers.net. |
| 90 |
|
| 91 |
Now your wiki skills are needed, if you don't know the magic invocation |
| 92 |
you won't find it. |
| 93 |
Hint: https://wiki.gentoo.org/wiki/Project:Infrastructure/LDAP_Guide |
| 94 |
|| |
| 95 |
|
| 96 |
The magic line|||||||is: "perl_ldap -b user -C gentooGPGfingerprint |
| 97 |
"<newfp>" $USER". |
| 98 |
|
| 99 |
So now log in to dev.gentoo.org and add your key's fingerprint there. |
| 100 |
Wait 15 minutes. |
| 101 |
|
| 102 |
Use that time to read https://wiki.gentoo.org/wiki/Gentoo_git_workflow |
| 103 |
|
| 104 |
especially the repository settings chapter. |
| 105 |
|
| 106 |
|
| 107 |
... and now you can clone the repo, and do (signed) commits. Easy! |
| 108 |
|
| 109 |
|
| 110 |
|
| 111 |
So, our onboarding experience sucks, this information is spread out in a |
| 112 |
way that makes it hard to find even if you know what you want. |
| 113 |
|
| 114 |
It took me literally hours, which means every new dev trying to do this |
| 115 |
will spend hours. It's a colossal waste of time, drains motivation, and |
| 116 |
especially the conflicting/wrong docs are not really a good idea. |
| 117 |
|
| 118 |
The complaints are mostly that no one seems to have thought about how a |
| 119 |
new user will find things, so there's no combined doc. The wiki is hard |
| 120 |
to search, making it extra challenging to figure out what to do. |
| 121 |
|
| 122 |
|
| 123 |
|
| 124 |
How to improve? Take my email, cut out the parts that state the obvious, |
| 125 |
turn it into a wiki page referencing the other wiki pages (if wiki is |
| 126 |
your thing - I refuse to touch MediaWiki outside of paid work, because I |
| 127 |
got paid too long to work with it and understand the deeply ingrained |
| 128 |
confusion its authors had about the universe) |
| 129 |
|
| 130 |
Or just point people at a random email, because that's about as good as |
| 131 |
documentation. |
| 132 |
I've wasted enough time documenting the missing pieces, instead of |
| 133 |
running gkeys-gen and doing this whole process in under half an hour it |
| 134 |
took me most of an afternoon, with my mood definitely not improving. |
| 135 |
|
| 136 |
|
| 137 |
Please, stop wasting people's time, if you write code or documentation |
| 138 |
write it once properly, don't release untested things and claim they are |
| 139 |
an official tool, and don't ignore complaints (because they mean, as a |
| 140 |
first approximation, that you screwed up and need to fix stuff) |
| 141 |
|
| 142 |
Sigh. |
| 143 |
|
| 144 |
|
| 145 |
||| |
Archives