1 |
On 12/14/2015 04:00 AM, Brian Dolbec wrote: |
2 |
> On Sun, 13 Dec 2015 22:20:01 +0300 |
3 |
> Andrew Savchenko <bircoph@g.o> wrote: |
4 |
> |
5 |
>> Hi, |
6 |
>> |
7 |
>> On Sun, 13 Dec 2015 18:36:51 +0100 Patrick Lauer wrote: |
8 |
>>> Oh hey. We're in the future. Let's try to commit something to |
9 |
>>> repo/gentoo.git! |
10 |
>>> |
11 |
>>> So apparently we're signing things with gpg now, so let's read the |
12 |
>>> official documentation. |
13 |
>>> The [1] wiki seems to be the canonical location for such things. |
14 |
> ... |
15 |
> |
16 |
>>> Since signing is mandatory since the git migration, ahem, this means |
17 |
>>> that no one in the last 5 months(!) actually followed the |
18 |
>>> documentation (because that does NOT work!). I'm almost impressed, |
19 |
>>> but, wow, this is enterprisey. |
20 |
>> It is absolutely possible to create correct gpg key, put it into |
21 |
>> LDAP according to GLEP and to sign commits and pushes properly. |
22 |
>> What is not currently possible is to verify all tree automatically. |
23 |
>> |
24 |
>> I agree that gkeys needs more work. But we are all volunteers here. |
25 |
>> You may help them if you are that interested into this |
26 |
>> functionality. |
27 |
>> |
28 |
>> What worries me more that we still have no way for rsync users to |
29 |
>> verify the portage tree (or Gentoo tree in the newspeak someone |
30 |
>> prefers here). And most users use rsync. |
31 |
>> |
32 |
>>> So, what can we do to make this whole story of 'commit (and push) to |
33 |
>>> repo/gentoo.git' make sense? And why do I appear to be the only one |
34 |
>>> to notice this chain of breakage?! |
35 |
>> We need to complete gkeys project, right? That's not all of the |
36 |
>> story, but a start. So send patches :) As for the full story, we |
37 |
>> still need to somehow verify rsync tree. For now only snapshots are |
38 |
>> verified. |
39 |
>> |
40 |
>> Best regards, |
41 |
>> Andrew Savchenko |
42 |
> Thank you Andrew. |
43 |
> |
44 |
> Let me first say, that while I am leading the gentoo-keys project. I |
45 |
> have not been doing much with making progress to get another release |
46 |
> out. My time is mostly taken up by full time work, add some health |
47 |
> issues (not serious), plus with coding full time now (it was just a |
48 |
> hobby before). I am finding it difficult to switch codebases to keep |
49 |
> development going in a non work project. There is a certain amount of |
50 |
> time needed to get back into the code to make any significant progress. |
51 |
> |
52 |
> But, one of the biggest things keeping me from doing more work on it |
53 |
> when I do have some time, is the fact that barely any of the devs seem |
54 |
> to care (other than the OP, who just seems to bitch about everything |
55 |
> not working for him). Since the GLEP 63 spec has been approved. |
56 |
> Barely any of the gentoo developers have even tried to update their gpg |
57 |
> key or generate a new one that does meet the spec. For that reason, I |
58 |
> have not endeavored to get more done in it. I've been trying to |
59 |
> keep the gentoo-devs seed file reasonably up to date, but since there |
60 |
> are few devs actually fixing or generating new keys, it is not needed |
61 |
> that often. In fact weeks go by before there is a change in LDAP in |
62 |
> regards to gpg keys. |
63 |
> |
64 |
> As Andrew pointed out in another reply, there is a fairly decent |
65 |
> document about generating new gpg keys either directly using gpg or |
66 |
> using gkeys-gen (gkeys-gen-9999) has the most troublesome bugs fixed in |
67 |
> it btw). |
68 |
> |
69 |
> But lets get back to the OP's gpg keys. |
70 |
> |
71 |
> dolsen@vulture /var/lib/gkeys $ gkeys spec-check -C gentoo-devs -n patrick |
72 |
> |
73 |
> Checking keys... |
74 |
> |
75 |
> |
76 |
> patrick, Patrick Lauer: 0x10F17899A28441CC, 0xA8447784E52864CE |
77 |
> ============================================== |
78 |
> |
79 |
> ---------- |
80 |
> Fingerprint......: 0A0901B8F018D5D6A4A31A4410F17899A28441CC |
81 |
> Key type ........: PUB Capabilities.: sc |
82 |
> Algorithm........: Pass Bit Length...: Fail |
83 |
> Create Date......: Pass Expire Date..: Pass |
84 |
> Key Version......: Pass Validity.....: e, Expired |
85 |
> Days till expiry.: 0 |
86 |
> Capability.......: Pass |
87 |
> Qualified ID.....: Fail <== '@gentoo.org' user id not found |
88 |
> This primary key.: Fail |
89 |
> |
90 |
> ---------- |
91 |
> Fingerprint......: 043F1AB5B35382E666BDBEA4058F9332F0BAE0B1 |
92 |
> Key type ........: SUB Capabilities.: e |
93 |
> Algorithm........: ---- Bit Length...: ---- |
94 |
> Create Date......: Pass Expire Date..: Pass |
95 |
> Key Version......: Pass Validity.....: e, Expired |
96 |
> Days till expiry.: 0 |
97 |
> Capability.......: Pass |
98 |
> Qualified ID.....: Fail <== '@gentoo.org' user id not found |
99 |
> This subkey......: Fail |
100 |
> |
101 |
> Key summary |
102 |
> primary..........: Fail signing subkey: Fail |
103 |
> encryption subkey: No authentication subkey: No |
104 |
> SPEC requirements: Fail |
105 |
> |
106 |
> |
107 |
> ---------- |
108 |
> Fingerprint......: F941D86BAA0D851BFE411493A8447784E52864CE |
109 |
> Key type ........: PUB Capabilities.: scaESCA |
110 |
> Algorithm........: Pass Bit Length...: Fail |
111 |
> Create Date......: Pass Expire Date..: Fail |
112 |
> Key Version......: Pass Validity.....: -, Unknown |
113 |
> Days till expiry.: infinite <== Exceeds specification |
114 |
> Capability.......: Pass |
115 |
> Qualified ID.....: Pass |
116 |
> This primary key.: Fail |
117 |
> |
118 |
> ---------- |
119 |
> Fingerprint......: 8FE9C051CD0859ED2E03274104711EEBFBF3D64A |
120 |
> Key type ........: SUB Capabilities.: e encrypt |
121 |
> Algorithm........: ---- Bit Length...: ---- |
122 |
> Create Date......: Pass Expire Date..: Fail |
123 |
> Key Version......: Pass Validity.....: -, Unknown |
124 |
> Days till expiry.: infinite <== Exceeds specification |
125 |
> Capability.......: Pass |
126 |
> Qualified ID.....: Pass |
127 |
> This subkey......: Fail |
128 |
> |
129 |
> Key summary |
130 |
> primary..........: Fail signing subkey: Fail |
131 |
> encryption subkey: Yes authentication subkey: No |
132 |
> SPEC requirements: Fail |
133 |
> |
134 |
> |
135 |
> |
136 |
> No signing capable subkey: |
137 |
> Patrick Lauer <patrick>: 0A0901B8F018D5D6A4A31A4410F17899A28441CC |
138 |
> Patrick Lauer <patrick>: F941D86BAA0D851BFE411493A8447784E52864CE |
139 |
> |
140 |
> |
141 |
> No Encryption capable subkey (Notice only): |
142 |
> Patrick Lauer <patrick>: 0A0901B8F018D5D6A4A31A4410F17899A28441CC |
143 |
> |
144 |
> |
145 |
> Incorrect bit length: |
146 |
> Patrick Lauer <patrick>: 0A0901B8F018D5D6A4A31A4410F17899A28441CC |
147 |
> Patrick Lauer <patrick>: F941D86BAA0D851BFE411493A8447784E52864CE |
148 |
> |
149 |
> |
150 |
> Expiry keys: |
151 |
> Patrick Lauer <patrick>: 8FE9C051CD0859ED2E03274104711EEBFBF3D64A |
152 |
> Patrick Lauer <patrick>: F941D86BAA0D851BFE411493A8447784E52864CE |
153 |
> |
154 |
> |
155 |
> Failed to pass SPEC requirements: |
156 |
> Patrick Lauer <patrick>: 0A0901B8F018D5D6A4A31A4410F17899A28441CC |
157 |
> Patrick Lauer <patrick>: F941D86BAA0D851BFE411493A8447784E52864CE |
158 |
> |
159 |
> |
160 |
> Gkey task results: |
161 |
> |
162 |
> Found Failures: |
163 |
> ------- |
164 |
> Revoked................: 0 |
165 |
> Invalid................: 0 |
166 |
> No Signing subkey......: 2 |
167 |
> No Encryption subkey...: 1 |
168 |
> Algorithm..............: 0 |
169 |
> Bit length.............: 2 |
170 |
> Expiry.................: 2 |
171 |
> Expiry Warnings........: 0 |
172 |
> SPEC requirements......: 2 |
173 |
> ============================= |
174 |
> SPEC Approved..........: 0 |
175 |
> |
176 |
> dolsen@vulture /var/lib/gkeys $ |
177 |
> |
178 |
> |
179 |
> Like so many of the dev's gpg keys, they can not ever meet the new spec |
180 |
> because the bit length of the keys are unsatisfactory and proven to be |
181 |
> crackable. Of which, both of his 2 registered (in LDAP) gpg keys are |
182 |
> still the insecure type. At least his first one is now expired, but he |
183 |
> has not attempted to remove it from LDAP, hmm... |
184 |
> |
185 |
> Since he has in the past generated gpg keys on 2 separate occasions, |
186 |
> You would think he should be able to generate a new gpg key that does |
187 |
> meet the GLEP 63 spec. But we have not seen any change in gpg keys |
188 |
> nor had requests for help. Just complaints. I'm sorry, but I'm not |
189 |
> volunteering my time to things in Gentoo just because I want to please |
190 |
> someone that lately just seems to bitch and moan about things not being |
191 |
> a single button or keypress fixable for him. |
192 |
> |
193 |
> We have offered help to devs many times in the past, but few have taken |
194 |
> us up on it and fixed or generated a new gpg key. It has been my |
195 |
> contention these past few months that the only way to get devs to fix |
196 |
> their gpg keys or generate new ones will be to enforce GLEP 63 approved |
197 |
> gpg keys for commit access. I know, that will almost completely |
198 |
> stall out progress in the gentoo tree for a while. But it seems that |
199 |
> is the only way many people will get off their ass and finally do |
200 |
> something about it. |
201 |
> |
202 |
> |
203 |
> As for gkeys integration into portage to be able to verify the |
204 |
> manifests. It was not difficult, I had preliminary code working in it |
205 |
> in just a few days for both portage and pkgcore. It would use gkeys to |
206 |
> do the verification since it controlled the gpg key directories and |
207 |
> keyrings. Both Zac and Tim said the tie ins should be done a little |
208 |
> differently, but I still had code that did the job. I have a gpg |
209 |
> wrapper script that git can be configured to use instead of gpg |
210 |
> directly. That way it can use the gkeys keyring system. GPG still |
211 |
> does the verification work, gkeys just controls the keyrings it sees) |
212 |
> One of the things preventing it from mainstream was properly wrapping |
213 |
> only the verify, but re-spawn ggp to do any signing (signed commits) |
214 |
> without interference from any of gkeys. I believe I have that done |
215 |
> now, but it has not been through enough testing to go into a release. |
216 |
> It is very close I think. So volunteers please emerge gkeys-9999 and |
217 |
> test the gkeys-gpg script and libs. I need to finish up a few more |
218 |
> re-writes of a few more maintenance actions to follow the rest of the |
219 |
> code changes Pavlos did as part of his GSOC project work. It should |
220 |
> then be ready for another release. There have been some changes in the |
221 |
> newest versions of gpg that I have been coming across. I am updating |
222 |
> pyGPG to handle them as I discover them. So if anyone testing the live |
223 |
> version find one, please report it with the traceback so we can update |
224 |
> the code for it. |
225 |
> |
226 |
> Sorry in advance for spouting off some, but I found Patrick's original |
227 |
> post in this thread quite offensive. After all a first release of |
228 |
> gkeys-0.1 of a new developing code base had some bugs once tested on a |
229 |
> wider machine and user base. Oh my, that has never happened before in |
230 |
> the history of computing!!!! |
231 |
> |
232 |
> Patrick, I think it's time you put up or shut up. Bringing up |
233 |
> shortcomings or other things that need attention is useful, but your |
234 |
> near constant bitching is quite tiresome. You could start by fixing |
235 |
> your own gpg key situation. If you don't find adequate documentation |
236 |
> to do it, then create a some that does meets your satisfaction. |
237 |
> |
238 |
> |
239 |
Ok then. |
240 |
|
241 |
|
242 |
Why. |
243 |
|
244 |
|
245 |
WHYYYY |
246 |
|
247 |
|
248 |
Why does the official documentation point me at gkeys-gen, which doesn't |
249 |
work |
250 |
|
251 |
|
252 |
|
253 |
On a wiki that's horribly broken |
254 |
|
255 |
|
256 |
gkeys-gen, which has known showstopper-bugs for a year |
257 |
|
258 |
|
259 |
|
260 |
|
261 |
Like seriously, every time I try to approach this set of problems I run |
262 |
into enough stupidity that it takes me about a week until I even want to |
263 |
try again. |
264 |
|
265 |
|
266 |
|
267 |
Yes of course I could read a few different bits of documentation and |
268 |
make educated guesses. But why do we have documentation then when it's |
269 |
not adequate, and why do we have a helper tool when it doesn't work? |
270 |
|
271 |
|
272 |
... and now I walk away for another week, in the hope that things maybe |
273 |
are saner then. Just to find even more bugs, I expect, but no one uses |
274 |
the documentation anyway, so it doesn't matter, and why am I even |
275 |
bothering to reply to this insanity. |