| 1 |
On Tue, Mar 4, 2014 at 9:52 AM, Anthony G. Basile |
| 2 |
<basile@××××××××××××××.edu> wrote: |
| 3 |
> |
| 4 |
> One week until the council meeting. Just to make sure I'm not missing any |
| 5 |
> issues and we don't have a last minute rush, here's the agenda so far: |
| 6 |
> |
| 7 |
> http://dev.gentoo.org/~blueness/council/council_agenda_20140311.txt |
| 8 |
|
| 9 |
Moving discussion to a separate thread (if my MUA isn't broken)... |
| 10 |
|
| 11 |
It looks like we actually want to approve the GLEP, but I think it is |
| 12 |
still a bit weak on documentation. |
| 13 |
|
| 14 |
The only instructions for creating keys reference two outside sources |
| 15 |
that aren't actually aligned with the policy as far as I can tell. |
| 16 |
|
| 17 |
From http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ : |
| 18 |
Key is valid for? (0) 0 |
| 19 |
Key does not expire at all |
| 20 |
(does not comply with 5-year max) |
| 21 |
|
| 22 |
https://wiki.debian.org/Keysigning does not mention half the stuff on |
| 23 |
our list, like control over digests/etc. |
| 24 |
|
| 25 |
Certainly an exhaustive set of instructions on using gpg is too much, |
| 26 |
but can we at least get: |
| 27 |
1. A list of steps that can be followed to generate a key that is |
| 28 |
useful and compliant with the policy. |
| 29 |
2. A command that can be supplied with a key ID and tell you if the |
| 30 |
key complies or not. |
| 31 |
|
| 32 |
Right now we just have a bunch of pointers to various websites and a |
| 33 |
set of guidelines, and devs are basically expected to figure it out. |
| 34 |
I think the result of this is going to be a lot of back-and-forth |
| 35 |
trying to get everybody to fix their keys, with new issues cropping up |
| 36 |
all the time. |
| 37 |
|
| 38 |
Rich |
Archives