[gentoo-project] Re: [gentoo-dev-announce] Call for agenda items - pgp key handling Von: Patrick Lauer An: gentoo-project@lists.gentoo.org Datum: 30/Oktober/2013, 1:33 (+0100) On 10/29/2013 09:23 PM, Andreas K. Huettel wrote: > In two weeks from now, the council will again have its regular monthly > meeting. Now is the time to raise and prepare items that the council should > put on the agenda to discuss or vote on. Request: A minimal policy for pgp keys and key handling (for commit signing) - Define the allowed key parameters: e.g. 2048bit RSA or DSA, validity at least 6 months - Define a canonical location (e.g. in LDAP and on at least one keyserver) where every dev's key is accessible (at least to gentoo infra) - Define a location of a (signed, autoupdated) global keyring that is accessible to all interested parties (e.g. http://www.gentoo.org/keyring.txt ) That's the first stage that can be done now without big problems, and it can be amended at any later time if there's any deficiencies. (so if we agree that 2048 bit are not enough we just fix it to 4096 bit and a three-month migration time) With that in place we can make commit signing mandatory (because right now we don't even have a way to fetch all keys, so it's worse than useless). And then as a third stage we can discuss things like, say, disabling commit access when the key is less than a month valid (after sending some automated warning mails, yes?) and other ways to make this meaningful. But - let's not get carried away in a big debate about how the NSA has infiltrated the minds of at least three devs, so we need four signatures on every commit before it goes live, and other unrelated madness. Just define the minimum set of rules to make signing useful, and then figure out how to enforce it. (As a sidenote, someone might want to figure out how to do remote signed commits - last time this was discussed I think there were some minor issues that should be worked out so that we're all not too affected with workflow changes) Thanks, Patrick