Gentoo Archives: gentoo-dev

From: Rich Freeman <rich0@g.o>
To: Kristian Fiskerstrand <k_f@g.o>
Cc: gentoo-dev <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] Best way to create a GLEP 63 compliant GPG key on Nitrocard?
Date: Thu, 25 Apr 2019 22:27:03
In Reply to: Re: [gentoo-dev] Best way to create a GLEP 63 compliant GPG key on Nitrocard? by Kristian Fiskerstrand
1 On Thu, Apr 25, 2019 at 4:55 PM Kristian Fiskerstrand <k_f@g.o> wrote:
2 >
3 > Quite frankly I'd expect a Gentoo Developer to be able to manage the gpg
4 > interface.
5 >
7 Being able to is not the same as caring enough to be bothered with
8 it... I don't want to custom-tailor my Gentoo key. I just want to
9 generate a key that will make the commit scripts happy. The key is
10 completely disposable from a personal standpoint - when the GLEP was
11 recently revised to make my old key no longer valid, I just generated
12 a new one. I didn't even bother revoking the old one, since it had no
13 function as soon as I changed the fingerprint in LDAP.
15 I was generating PGP keys back when it used idea and I'm guessing md5.
16 I've had gpg keys for decades. I used my personal one for Gentoo
17 until the point where there were specific requirements for a Gentoo
18 key, and rather than try to personally live with the Gentoo
19 requirements it makes far more sense to just generate a
20 Gentoo-specific key. Then we can change the GLEP as often as we like
21 it it really doesn't bother me much. I can just discard my key and
22 create a new one, though it would be nice if those creating the GLEPs
23 would actually document the simplest way to do this for those who
24 really can't be bothered to read the man page.
26 I mean, I'd expect any Gentoo dev to be able to figure out how to use
27 git as well, but git also has a terrible command line interface, so
28 rather than put a bunch of requirements in a document and force
29 everybody to dig through manpages to get it to generate signed
30 commits/pushes/etc we just give a handy workflow. After all, our goal
31 is to maintain the repo, not spend all day independently decipering
32 how to sign pushes or figuring out that a commit sig and a push sig
33 are two different things.
35 Personally I think we ought to make it easier to just use the
36 Nitrokeys we spent all this money on in a more secure manner than just
37 leaving primary keys lying around on hard drives, which is where I
38 suspect the vast majority will reside, completely negating the expense
39 the Foundation and Nitrokey both went through to provide them for us.
40 While I'm all for GLEPs themselves sticking to specs, having a
41 workflow document to go along with it would go a long way to helping
42 devs to comply, rather than spending all our effort writing
43 increasingly clever scripts to yell at them when they aren't
44 complying.
46 --
47 Rich