1 |
On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec <dolsen@g.o> wrote: |
2 |
> |
3 |
> I don't know tbh, most are already signed, with the git migration, the |
4 |
> strongly recommended commit signing will become MANDATORY. |
5 |
> |
6 |
> So, we are at 50 devs with valid gpg keys now, with 200 more gpg keys |
7 |
> listed in LDAP that fail to meet the new spec. PLEASE fix them or |
8 |
> create new keys... |
9 |
|
10 |
How does somebody know whether their key meets the spec or not? I |
11 |
looked at the gentoo-keys website and didn't see any simple way to |
12 |
check. |
13 |
|
14 |
There was documentation on the gkeys utility for checking keys, but I |
15 |
ran into a few issues with this. First, it can't be installed on a |
16 |
stable system with mirrorselect. |
17 |
|
18 |
On a clean ~arch stage3 when trying to run "gkeys fetch-seed -C |
19 |
gentoo-devs" it outputs: |
20 |
Connector.connect_url(); Failed to retrieve the content from: |
21 |
https://api.gentoo.org/gentoo-keys/seeds/gentoo-devs.seeds |
22 |
Error was: Invalid header value 'Wed, 15 Jul 2015 17:50:17 GMT\n' |
23 |
|
24 |
|
25 |
After removing the files in /var/lib/gentoo/gkeys/seeds the fetch |
26 |
works. However, attempting to run "gkeys install-key -C gentoo-devs" |
27 |
results in: |
28 |
Found GKEY seeds: |
29 |
Traceback (most recent call last): |
30 |
File "/usr/lib/python-exec/python2.7/gkeys", line 50, in <module> |
31 |
success = main() |
32 |
File "/usr/lib64/python2.7/site-packages/gkeys/cli.py", line 63, in __call__ |
33 |
return self.run(args) |
34 |
File "/usr/lib64/python2.7/site-packages/gkeys/base.py", line 303, in run |
35 |
success, results = func(args) |
36 |
File "/usr/lib64/python2.7/site-packages/gkeys/actions.py", line |
37 |
264, in installkey |
38 |
self.output(['', gkey], "\n Found GKEY seeds:") |
39 |
File "/usr/lib64/python2.7/site-packages/gkeys/base.py", line 323, |
40 |
in output_results |
41 |
print("\n".join([x.pretty_print for x in msg])) |
42 |
UnicodeEncodeError: 'ascii' codec can't encode character u'\u017b' in |
43 |
position 1233: ordinal not in range(128) |
44 |
|
45 |
|
46 |
It might not hurt to publish the list of keys that fail checks. If |
47 |
that list is going to be used to block commits then obviously it needs |
48 |
to be updated very frequently. I do not know if there are any plans |
49 |
to block commits with signatures that do not conform to the GLEP. |
50 |
|
51 |
-- |
52 |
Rich |