1 |
On Thu, 2020-12-17 at 13:28 -0500, Mike Gilbert wrote: |
2 |
> On Wed, Dec 16, 2020 at 11:48 PM desultory <desultory@g.o> |
3 |
> wrote: |
4 |
> > |
5 |
> > On 12/16/20 03:01, Michał Górny wrote: |
6 |
> > > On Tue, 2020-12-15 at 23:37 -0500, Aaron W. Swenson wrote: |
7 |
> > > > On 2020-12-15 11:16, Michael Orlitzky wrote: |
8 |
> > > > > On 12/15/20 11:11 AM, Thomas Deutschmann wrote: |
9 |
> > > > > > |
10 |
> > > > > > What do you mean exactly? |
11 |
> > > > > > |
12 |
> > > > > > For Gentoo tooling, only Gentoo keyservers are important |
13 |
> > > > > > and |
14 |
> > > > > > Gentoo no longer synchronizes with any other pool. |
15 |
> > > > > > |
16 |
> > > > > "The Gentoo developer tooling explicitly checks the Gentoo |
17 |
> > > > > keyserver |
18 |
> > > > > pool with a much higher frequency" strongly implies that we |
19 |
> > > > > check |
20 |
> > > > > the |
21 |
> > > > > non-Gentoo pools with a non-zero frequency. |
22 |
> > > > > |
23 |
> > > > > |
24 |
> > > > |
25 |
> > > > I'm with Michael on this. I've recently experienced this issue |
26 |
> > > > myself |
27 |
> > > > as the |
28 |
> > > > instruction to upload the key to the Gentoo keyserver is |
29 |
> > > > separate |
30 |
> > > > from the |
31 |
> > > > GLEP63[1] document. It doesn't matter that the step is |
32 |
> > > > documented if |
33 |
> > > > the Holy |
34 |
> > > > Tome GLEP63 doesn't mention it. What hint would I have to look |
35 |
> > > > for a |
36 |
> > > > supplemental document to provide that specific step? |
37 |
> > > > |
38 |
> > > > According to GLEP 63, uploading to the SKS keyserver is a |
39 |
> > > > requirement. |
40 |
> > > > However, it fails to specify which SKS keyserver. In fact, |
41 |
> > > > neither |
42 |
> > > > "SKS" nor |
43 |
> > > > "keyserver" are defined in GLEP63. Ergo, the natural |
44 |
> > > > interpretation |
45 |
> > > > is *anything* |
46 |
> > > > that's called an SKS keyserver will satisfy the requirement. As |
47 |
> > > > long |
48 |
> > > > as the |
49 |
> > > > developer can submit the key, the requirement is met. |
50 |
> > > > |
51 |
> > > > Additionally, the supplemental document[2] doesn't say |
52 |
> > > > developers |
53 |
> > > > must upload |
54 |
> > > > via an internal host, but that devs should upload to both SKS |
55 |
> > > > and the |
56 |
> > > > Gentoo |
57 |
> > > > keyserver. Yes, it says the Gentoo keyserver is currently |
58 |
> > > > restricted |
59 |
> > > > to syncing |
60 |
> > > > with "authorized Gentoo hosts", but that's a nonsense phrase |
61 |
> > > > and |
62 |
> > > > unhelpful. It |
63 |
> > > > assumes I know what the authorized Gentoo hosts are. It doesn't |
64 |
> > > > clearly state |
65 |
> > > > what they are. It kind of hints that it will pull from SKS |
66 |
> > > > eventually, but it |
67 |
> > > > could take a long time. |
68 |
> > > > |
69 |
> > > > I understand we temporarily stopped syncing with the public |
70 |
> > > > keyserver |
71 |
> > > > out of an |
72 |
> > > > overabundance of caution. However, that shouldn't have been |
73 |
> > > > done |
74 |
> > > > without |
75 |
> > > > updating every official Gentoo resource regarding how devs |
76 |
> > > > should |
77 |
> > > > handle their |
78 |
> > > > keys, which as far as I know is only two documents[1,2]. A |
79 |
> > > > whopping 2 |
80 |
> > > > documents. |
81 |
> > > > |
82 |
> > > > This new (I know it's been around for a year but that doesn't |
83 |
> > > > make it |
84 |
> > > > any less |
85 |
> > > > new), stricter requirement, should be **explicitly** stated in |
86 |
> > > > GLEP63, properly |
87 |
> > > > referencing the justification[3], and linking to the infra |
88 |
> > > > supplemental |
89 |
> > > > document. The infra supplemental document needs to then use the |
90 |
> > > > phrase "must" in |
91 |
> > > > place of "should" when informing readers to upload to two |
92 |
> > > > different |
93 |
> > > > locations. |
94 |
> > > |
95 |
> > > ...and what have you done to resolve the problem, except for |
96 |
> > > making |
97 |
> > > oververbose complaints and demands in middle of some random |
98 |
> > > thread? |
99 |
> > > |
100 |
> > Discuss it, which is more than you have done here. There is no need |
101 |
> > to |
102 |
> > berate signal because you feel like making noise. |
103 |
> > |
104 |
> > Formulating and discussing ways to fix problems before actually |
105 |
> > fixing |
106 |
> > them helps to reduce effort wasted on rebuilding old solutions |
107 |
> > which |
108 |
> > have failed for whatever reason. In this case documentation needs |
109 |
> > to be |
110 |
> > updated, discussing the appropriate manner in which to update which |
111 |
> > documentation seems to be more grounds for engagement than |
112 |
> > recrimination. |
113 |
> > |
114 |
> > On the subject of updating the documentation, the proposal seems |
115 |
> > generally sound; do you have any constructive criticism of it? |
116 |
> > |
117 |
> |
118 |
> So I can understand where Michał's reaction comes from. On my first |
119 |
> read through Aaron's message, it seemed like a long email complaining |
120 |
> about things that had been done wrong. Upon re-reading it with a |
121 |
> different mindset, it doesn't seem so bad if you skip over some of |
122 |
> the |
123 |
> text. |
124 |
|
125 |
To me, it sounded like 'I am so important that I can't be bothered to |
126 |
report it properly, so I just write a long complaint right here |
127 |
and expect someone to resolve it'. |
128 |
|
129 |
|
130 |
-- |
131 |
Best regards, |
132 |
Michał Górny |