1 |
On Tue, Mar 4, 2014 at 9:52 AM, Anthony G. Basile |
2 |
<basile@××××××××××××××.edu> wrote: |
3 |
> |
4 |
> One week until the council meeting. Just to make sure I'm not missing any |
5 |
> issues and we don't have a last minute rush, here's the agenda so far: |
6 |
> |
7 |
> http://dev.gentoo.org/~blueness/council/council_agenda_20140311.txt |
8 |
|
9 |
Moving discussion to a separate thread (if my MUA isn't broken)... |
10 |
|
11 |
It looks like we actually want to approve the GLEP, but I think it is |
12 |
still a bit weak on documentation. |
13 |
|
14 |
The only instructions for creating keys reference two outside sources |
15 |
that aren't actually aligned with the policy as far as I can tell. |
16 |
|
17 |
From http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ : |
18 |
Key is valid for? (0) 0 |
19 |
Key does not expire at all |
20 |
(does not comply with 5-year max) |
21 |
|
22 |
https://wiki.debian.org/Keysigning does not mention half the stuff on |
23 |
our list, like control over digests/etc. |
24 |
|
25 |
Certainly an exhaustive set of instructions on using gpg is too much, |
26 |
but can we at least get: |
27 |
1. A list of steps that can be followed to generate a key that is |
28 |
useful and compliant with the policy. |
29 |
2. A command that can be supplied with a key ID and tell you if the |
30 |
key complies or not. |
31 |
|
32 |
Right now we just have a bunch of pointers to various websites and a |
33 |
set of guidelines, and devs are basically expected to figure it out. |
34 |
I think the result of this is going to be a lot of back-and-forth |
35 |
trying to get everybody to fix their keys, with new issues cropping up |
36 |
all the time. |
37 |
|
38 |
Rich |