| 1 |
On 2020-12-15 11:16, Michael Orlitzky wrote: |
| 2 |
>On 12/15/20 11:11 AM, Thomas Deutschmann wrote: |
| 3 |
>> |
| 4 |
>> What do you mean exactly? |
| 5 |
>> |
| 6 |
>> For Gentoo tooling, only Gentoo keyservers are important and Gentoo no longer synchronizes with any other pool. |
| 7 |
>> |
| 8 |
>"The Gentoo developer tooling explicitly checks the Gentoo keyserver |
| 9 |
>pool with a much higher frequency" strongly implies that we check the |
| 10 |
>non-Gentoo pools with a non-zero frequency. |
| 11 |
> |
| 12 |
> |
| 13 |
|
| 14 |
I'm with Michael on this. I've recently experienced this issue myself as the |
| 15 |
instruction to upload the key to the Gentoo keyserver is separate from the |
| 16 |
GLEP63[1] document. It doesn't matter that the step is documented if the Holy |
| 17 |
Tome GLEP63 doesn't mention it. What hint would I have to look for a |
| 18 |
supplemental document to provide that specific step? |
| 19 |
|
| 20 |
According to GLEP 63, uploading to the SKS keyserver is a requirement. |
| 21 |
However, it fails to specify which SKS keyserver. In fact, neither "SKS" nor |
| 22 |
"keyserver" are defined in GLEP63. Ergo, the natural interpretation is *anything* |
| 23 |
that's called an SKS keyserver will satisfy the requirement. As long as the |
| 24 |
developer can submit the key, the requirement is met. |
| 25 |
|
| 26 |
Additionally, the supplemental document[2] doesn't say developers must upload |
| 27 |
via an internal host, but that devs should upload to both SKS and the Gentoo |
| 28 |
keyserver. Yes, it says the Gentoo keyserver is currently restricted to syncing |
| 29 |
with "authorized Gentoo hosts", but that's a nonsense phrase and unhelpful. It |
| 30 |
assumes I know what the authorized Gentoo hosts are. It doesn't clearly state |
| 31 |
what they are. It kind of hints that it will pull from SKS eventually, but it |
| 32 |
could take a long time. |
| 33 |
|
| 34 |
I understand we temporarily stopped syncing with the public keyserver out of an |
| 35 |
overabundance of caution. However, that shouldn't have been done without |
| 36 |
updating every official Gentoo resource regarding how devs should handle their |
| 37 |
keys, which as far as I know is only two documents[1,2]. A whopping 2 documents. |
| 38 |
|
| 39 |
This new (I know it's been around for a year but that doesn't make it any less |
| 40 |
new), stricter requirement, should be **explicitly** stated in GLEP63, properly |
| 41 |
referencing the justification[3], and linking to the infra supplemental |
| 42 |
document. The infra supplemental document needs to then use the phrase "must" in |
| 43 |
place of "should" when informing readers to upload to two different locations. |
| 44 |
|
| 45 |
|
| 46 |
Footnotes: |
| 47 |
[1] https://www.gentoo.org/glep/glep-0063.html |
| 48 |
|
| 49 |
[2] https://wiki.gentoo.org/index.php?title=Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys&oldid=813494#Submit_your_new_key_to_the_keyserver |
| 50 |
|
| 51 |
[3] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html |
Archives