On Mon, Feb 24, 2014 at 11:35 AM, Lucas Nussbaum <lu...@debian.org> wrote: > Hi, > > On 22/02/14 at 20:57 -0500, Andrew Starr-Bochicchio wrote: >> Has there been any analysis of how active the developers are? I'd >> hazard to guess that a good number should be moved to emeritus status. >> Perhaps we should do a ping of developers with 1024 bit keys? > > I've done a quick hack using UDD: > http://udd.debian.org/cgi-bin/gpg1024.cgi > > A large number of people still using 1024 bit keys are very active DDs.
I believe I have an idea that's better than the status quo, and is actionable now without potentially crippling the project. Please let me know if I am missing something significant. Perhaps we could create a new "transition role" GPG identity, that would be administered by the keyring maintainers and would sign any requests for changing to a strong key that are signed by the same DD's weak key. We would allow DDs to use the new strong key to do their work for a limited period of time, while they seek the required two DD signatures. (Say 12 months, but this is fungible.) I am proposing a role key, so it doesn't get confused with "real sigs" and we can easily track who still needs real sigs. Obviously as DDs switched to srong keys using this option, their old 1024 bit keys would be disabled, but to really make this better than the status quo, we would need to couple this with a policy to set a fairly aggressive date for disabling any 1024 bit keys. (Basically just enough time for keyring maintainers to absorb the influx of key change requests from active DDs.) This prevents us from having to wait for everyone to get their 2 sigs to move to stronger security. It also means we can as a project set a relatively aggressive date of turning off 1024-bit keys. The biggest drawback I foresee is that this does put a large burst of workload on the keyring maintainers. (I suspect however this shouldn't be a showstopper, as we could make approval contingent on having enough extra volunteers to implement it.) Thanks, Brian P.S. - We could even give a certain grace period, after disabling 1024 bit keys, to allow DDs to use the same process if they someone missed the announcements and get stuck being unable to upload. (This way we can be even more aggressive about turning off the 1024bit keys.) -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CACFaiRzr6y5=9_pd+xngyhdrkrbyorprjgphf_-c6ody-x5...@mail.gmail.com