1 |
On 2020-12-15 11:16, Michael Orlitzky wrote: |
2 |
>On 12/15/20 11:11 AM, Thomas Deutschmann wrote: |
3 |
>> |
4 |
>> What do you mean exactly? |
5 |
>> |
6 |
>> For Gentoo tooling, only Gentoo keyservers are important and Gentoo no longer synchronizes with any other pool. |
7 |
>> |
8 |
>"The Gentoo developer tooling explicitly checks the Gentoo keyserver |
9 |
>pool with a much higher frequency" strongly implies that we check the |
10 |
>non-Gentoo pools with a non-zero frequency. |
11 |
> |
12 |
> |
13 |
|
14 |
I'm with Michael on this. I've recently experienced this issue myself as the |
15 |
instruction to upload the key to the Gentoo keyserver is separate from the |
16 |
GLEP63[1] document. It doesn't matter that the step is documented if the Holy |
17 |
Tome GLEP63 doesn't mention it. What hint would I have to look for a |
18 |
supplemental document to provide that specific step? |
19 |
|
20 |
According to GLEP 63, uploading to the SKS keyserver is a requirement. |
21 |
However, it fails to specify which SKS keyserver. In fact, neither "SKS" nor |
22 |
"keyserver" are defined in GLEP63. Ergo, the natural interpretation is *anything* |
23 |
that's called an SKS keyserver will satisfy the requirement. As long as the |
24 |
developer can submit the key, the requirement is met. |
25 |
|
26 |
Additionally, the supplemental document[2] doesn't say developers must upload |
27 |
via an internal host, but that devs should upload to both SKS and the Gentoo |
28 |
keyserver. Yes, it says the Gentoo keyserver is currently restricted to syncing |
29 |
with "authorized Gentoo hosts", but that's a nonsense phrase and unhelpful. It |
30 |
assumes I know what the authorized Gentoo hosts are. It doesn't clearly state |
31 |
what they are. It kind of hints that it will pull from SKS eventually, but it |
32 |
could take a long time. |
33 |
|
34 |
I understand we temporarily stopped syncing with the public keyserver out of an |
35 |
overabundance of caution. However, that shouldn't have been done without |
36 |
updating every official Gentoo resource regarding how devs should handle their |
37 |
keys, which as far as I know is only two documents[1,2]. A whopping 2 documents. |
38 |
|
39 |
This new (I know it's been around for a year but that doesn't make it any less |
40 |
new), stricter requirement, should be **explicitly** stated in GLEP63, properly |
41 |
referencing the justification[3], and linking to the infra supplemental |
42 |
document. The infra supplemental document needs to then use the phrase "must" in |
43 |
place of "should" when informing readers to upload to two different locations. |
44 |
|
45 |
|
46 |
Footnotes: |
47 |
[1] https://www.gentoo.org/glep/glep-0063.html |
48 |
|
49 |
[2] https://wiki.gentoo.org/index.php?title=Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys&oldid=813494#Submit_your_new_key_to_the_keyserver |
50 |
|
51 |
[3] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html |