that's all i got, i'm sure the other guys that were there can chime
in with
their experiences (i almost got rajiv to ride piggy back ... maybe
next year)
key word is _almost_ ...
several (but unfortunately not all) of the devs verified gpg key
fingerprints. those of you who did should now sign keys. <http://
dev.gentoo.org/~rajiv/LWE2006Boston/> has instructions.
wolf31o2 and i also had an interesting conversation with david shaw
of the gpg project. apparently gpg 1.4.3 has a some new features to
automatically pull public keys from an ldap server or a dns zone
based on a uid. this might solve the problem of how to distribute
devs' public keys with portage and manifest signing. if we setup a
publicly accessible ldap server with the proper schema at ldap://
keys.gentoo.org/ then properly configured gpg setups will
automatically download keys as needed.
here is the relevant note from the gnupg 1.4.3 announce email:
* New auto-key-locate option that takes an ordered list of methods
to locate a key if it is not available at encryption time (-r or
--recipient). Possible methods include "cert" (use DNS CERT as
per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP
server for the domain in question), "keyserver" (use the
currently defined keyserver), as well as arbitrary keyserver
URIs that will be contacted for the key.
* Able to retrieve keys using DNS CERT records as per RFC-2538bis
(currently in draft): http://www.josefsson.org/rfc2538bis
--
[email protected] mailing list
