| 1 |
On 09/29/2011 12:23 PM, Mike Frysinger wrote: |
| 2 |
> On Thursday, September 29, 2011 11:11:59 Patrick Lauer wrote: |
| 3 |
>> On 09/29/11 17:04, Tony "Chainsaw" Vroon wrote: |
| 4 |
>>> On 29/09/11 16:02, Anthony G. Basile wrote: |
| 5 |
>>>> Is there any chance that we can agree to reject |
| 6 |
>>>> unsigned manifests? Possibly a question for the Council to adjudicate? |
| 7 |
>>> I am happy to back a mandatory signing policy for the main gentoo-x86 |
| 8 |
>>> tree. This is a simple yes or no question that the council can vote on. |
| 9 |
>> As previously discussed it would be nice to have some basic key policies |
| 10 |
>> in place for that - they can be changed at any later time, but for now |
| 11 |
>> we could agree on basic parameters like, say - |
| 12 |
>> |
| 13 |
>> at least 1024bit key length |
| 14 |
>> at least 6 months validity from creation |
| 15 |
>> one or more algorithms (initially DSA signatures and SHA1 hashing) |
| 16 |
> there's nothing to decide as it was already outlined long ago in the docs: |
| 17 |
> http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6 |
| 18 |
> |
| 19 |
> if you want to *refine* that, then that's a different issue. but the devs |
| 20 |
> already have all the info they need to start signing now. |
| 21 |
> -mike |
| 22 |
|
| 23 |
Thanks I didn't know that had made it to the devmanual. I drop my |
| 24 |
original request. |
| 25 |
|
| 26 |
I guess the next step, if we were to take it, would be to have infra |
| 27 |
enforce the policy automatically if a commit comes in which isn't signed. |
| 28 |
|
| 29 |
-- |
| 30 |
Anthony G. Basile, Ph.D. |
| 31 |
Gentoo Linux Developer [Hardened] |
| 32 |
E-Mail : blueness@g.o |
| 33 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 34 |
GnuPG ID : D0455535 |
Archives