| 1 |
Just checking: Brian (dol-sen), Rick (Zero_Chaos), Robin (robbat2) - are |
| 2 |
all the issues resolved here? |
| 3 |
|
| 4 |
Please see some quotes below for what might appear to indicate some |
| 5 |
further changes to the GLEP. The key distribution part doesn't seem to |
| 6 |
be fully ready, but feel free to correct me. |
| 7 |
|
| 8 |
Thank you for working on this, I think better security there is |
| 9 |
important for Gentoo. |
| 10 |
|
| 11 |
By the way, one more suggestion that came up is splitting the GLEP into two: |
| 12 |
|
| 13 |
1) individual developer key and gpg guidelines (looks like this could be |
| 14 |
approved now) |
| 15 |
|
| 16 |
2) distro-wide key/keyring distribution mechanism/policy (looks like it |
| 17 |
may need more work) |
| 18 |
|
| 19 |
Paweł |
| 20 |
|
| 21 |
On 11/16/13, 12:43 AM, Brian Dolbec wrote: |
| 22 |
> On Fri, 2013-11-15 at 16:25 -0500, Rick "Zero_Chaos" Farina wrote: |
| 23 |
>> On 11/15/2013 02:37 PM, Robin H. Johnson wrote: |
| 24 |
>>> On Fri, Nov 15, 2013 at 01:51:32PM -0500, Rick "Zero_Chaos" Farina wrote: |
| 25 |
>>>> On 11/15/2013 01:23 AM, Robin H. Johnson wrote: |
| 26 |
>>> There are a few parts to it: |
| 27 |
>>> - gentoo-keys (lead by dolsen) |
| 28 |
>>> This is a mostly infra-level tool that takes the data in LDAP, does |
| 29 |
>>> validation, mixes in the keys from keyserver/homedir, and generates |
| 30 |
>>> keyrings. |
| 31 |
> |
| 32 |
> Not quite right. The gentoo-keys project is a repository with two main |
| 33 |
> components. |
| 34 |
> |
| 35 |
> 1) gkeyldap cli and python pkg. [...] |
| 36 |
> |
| 37 |
> 2) gkey cli and python pkg. [...] |
| 38 |
> [...] |
| 39 |
>> I think this is a great idea, BUT, we would need to handle "the latest |
| 40 |
>> gentoo-dev-keyring" like portage updates used to be handled. If there |
| 41 |
>> is an update, warn the user, and if gentoo-dev-keyring is in the update |
| 42 |
>> list it *must* be merged first. Again, these implementation details |
| 43 |
>> don't necessarily have to be in the glep, but we need to make sure as we |
| 44 |
>> go through that we account for such things. My day job is pretty much |
| 45 |
>> running man in the middle on things and laughing at the result, so I'm |
| 46 |
>> super excited to see all this hard work going in. |
| 47 |
>> [...] |
| 48 |
>>> TODO: |
| 49 |
>>> We need a way for a given repo, once installed, to specify what keyrings |
| 50 |
>>> to use for validation. I'm thinking of adding it to |
| 51 |
>>> metadata/layout.conf. |
| 52 |
>>> The main gentoo-x86 repo would have for example: |
| 53 |
>>> keyrings = gentoo-master gentoo-releng gentoo-dev |
| 54 |
>>> |
| 55 |
>>> Overlays might have: |
| 56 |
>>> keyrings = gentoo-overlay-mysql |
| 57 |
>>> |
| 58 |
>> Love it. This should probably make it into the glep. |
| 59 |
>> |
| 60 |
> Sounds good to me. |
| 61 |
> |
| 62 |
> P.S. OH my, this turned out to be along reply :/ |
| 63 |
> But I hope it clears up any questions people may have about it. |
| 64 |
> It is a work in progress... |
Archives