1 |
On Tue, 2020-12-15 at 23:37 -0500, Aaron W. Swenson wrote: |
2 |
> On 2020-12-15 11:16, Michael Orlitzky wrote: |
3 |
> > On 12/15/20 11:11 AM, Thomas Deutschmann wrote: |
4 |
> > > |
5 |
> > > What do you mean exactly? |
6 |
> > > |
7 |
> > > For Gentoo tooling, only Gentoo keyservers are important and |
8 |
> > > Gentoo no longer synchronizes with any other pool. |
9 |
> > > |
10 |
> > "The Gentoo developer tooling explicitly checks the Gentoo |
11 |
> > keyserver |
12 |
> > pool with a much higher frequency" strongly implies that we check |
13 |
> > the |
14 |
> > non-Gentoo pools with a non-zero frequency. |
15 |
> > |
16 |
> > |
17 |
> |
18 |
> I'm with Michael on this. I've recently experienced this issue myself |
19 |
> as the |
20 |
> instruction to upload the key to the Gentoo keyserver is separate |
21 |
> from the |
22 |
> GLEP63[1] document. It doesn't matter that the step is documented if |
23 |
> the Holy |
24 |
> Tome GLEP63 doesn't mention it. What hint would I have to look for a |
25 |
> supplemental document to provide that specific step? |
26 |
> |
27 |
> According to GLEP 63, uploading to the SKS keyserver is a |
28 |
> requirement. |
29 |
> However, it fails to specify which SKS keyserver. In fact, neither |
30 |
> "SKS" nor |
31 |
> "keyserver" are defined in GLEP63. Ergo, the natural interpretation |
32 |
> is *anything* |
33 |
> that's called an SKS keyserver will satisfy the requirement. As long |
34 |
> as the |
35 |
> developer can submit the key, the requirement is met. |
36 |
> |
37 |
> Additionally, the supplemental document[2] doesn't say developers |
38 |
> must upload |
39 |
> via an internal host, but that devs should upload to both SKS and the |
40 |
> Gentoo |
41 |
> keyserver. Yes, it says the Gentoo keyserver is currently restricted |
42 |
> to syncing |
43 |
> with "authorized Gentoo hosts", but that's a nonsense phrase and |
44 |
> unhelpful. It |
45 |
> assumes I know what the authorized Gentoo hosts are. It doesn't |
46 |
> clearly state |
47 |
> what they are. It kind of hints that it will pull from SKS |
48 |
> eventually, but it |
49 |
> could take a long time. |
50 |
> |
51 |
> I understand we temporarily stopped syncing with the public keyserver |
52 |
> out of an |
53 |
> overabundance of caution. However, that shouldn't have been done |
54 |
> without |
55 |
> updating every official Gentoo resource regarding how devs should |
56 |
> handle their |
57 |
> keys, which as far as I know is only two documents[1,2]. A whopping 2 |
58 |
> documents. |
59 |
> |
60 |
> This new (I know it's been around for a year but that doesn't make it |
61 |
> any less |
62 |
> new), stricter requirement, should be **explicitly** stated in |
63 |
> GLEP63, properly |
64 |
> referencing the justification[3], and linking to the infra |
65 |
> supplemental |
66 |
> document. The infra supplemental document needs to then use the |
67 |
> phrase "must" in |
68 |
> place of "should" when informing readers to upload to two different |
69 |
> locations. |
70 |
|
71 |
...and what have you done to resolve the problem, except for making |
72 |
oververbose complaints and demands in middle of some random thread? |
73 |
|
74 |
-- |
75 |
Best regards, |
76 |
Michał Górny |