On Mon, 2013-11-11 at 00:01 +0000, Robin H. Johnson wrote:
> Gentoo LDAP:
> ============
> All developers must list the complete GPG fingerprint for their root
> keys in the "gpgfingerprint" LDAP field.
>
> It should be exactly 40 hex digits, uppercase, with optional spaces
> every 8 hex digits. Regular expression for validation: ^[[:xdigit]]{8}(
> ?[[:xdigit]]{8}){4}$
> The problem I can see happening allowing the optional spaces is that currently the fingerpint field is a space separated list of fingerprints. In the ldap-seeds code used to generate the developer.seeds file. I am splitting that field data on the spaces to get a python list of individual fingerprints. There are developers that have 2 fingerprints listed. If spaces are to be allowed in the fingerprint then we will need to use and enforce a different separator to divide the fingerprints. Currently in gentoo-keys I use the ":" as a separator in the gpgkey and fingerprint fields of the seed file. A "|" is used to separate the fields of the seed info. > The prior "gpgkey" field will be removed, as it is a subset of the > fingerprint field. In any place that presently displays the gpgkey > field, the last 16 hex digits of the fingerprint should be displayed > instead. > ++ Currently running some checks on the gpgkey and fingerprint fields, there are many developers with errors. Some have 2 gpgkeys listed, but only 1 fingerprint, some the gpgkey does not match the fingerprint. One dev's fingerprint is only 39 chars in length. Please check if yours has errors and correct them please. See below for the links. By eliminating the gpgkey field in ldap it will reduce the chance for errors and is redundant data anyway. I will later establish a policy & code to test the developer.seeds file to look for errors in installing the keys before it is pushed to the server for public download. I already have code to install the complete set of developer seeds, but need to add/tweak the code to log the errors correctly. For the current file of the valid developer seeds: http://dev.gentoo.org/~dolsen/developer.seeds record entries are 1 dev per line. fields are ['nick', 'name', 'keyid', 'longkeyid','keydir', 'fingerprint'] For the latest log of the seed file generation run which lists the errors found: http://dev.gentoo.org/~dolsen/gkeyldap-latest.log P.S. If any python coders are interested in helping, please contact me :) > Tools: > ====== > We have most of the key-tracking in progress in the gentoo-keys project > [#GENTOOKEYS]_. > > This toolset should also include easy-to-use tools for developers to generate > new keys [#TOOLSET]_ (using the recommendations) and update expiry dates. > > This tool should generate a final user-formatted keyring, to be hosted on the > Gentoo API site. > > Backwards Compatibility: > ======================== > There is no consistent standard for GPG usage in Gentoo to date. > There is conflicting information in the Devmanual [#DEVMANUAL-MANIFEST]_ > and the GnuPG Gentoo user guide [#GNUPG-USER]_. As there is little > enforcement of Manifest signing and very little commit signing to date, > there are no backwards compatibility concerns. > > External documentation: > ======================= > Much of the above was driven by the following: > - NIST SP 800-57 recommendations [#NIST-SP800-57-1]_, > [##NIST-SP800-57-2]_ > - Debian GPG documentation [#DEBIANGPG]_ > - RiseUp.net OpenPGP best practices [#RISEUP]_ > > References: > =========== > .. [#GENTOOKEYS] Gentoo Keys project > (http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-keys.git) > .. [#TOOLSET] > http://thread.gmane.org/gmane.linux.gentoo.devel/83996/focus=84220 > .. [#NIST-SP800-57-1] NIST SP 800-57: Recommendation for Key Management: Part > 1: General (Revision 3) > > (http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf) > .. [#NIST-SP800-57-2] NIST SP 800-57: Recommendation for Key Management: Part > 2: Best Practices for Key Management Organization > (http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf) > .. [#EKAIA] Ana's blog: Creating a new GPG key > (http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/) > .. [#DEBIANGPG] Debian GPG documentation > (https://wiki.debian.org/Keysigning) > .. [#RISEUP] RiseUp.net OpenPGP best practices > (https://we.riseup.net/riseuplabs+paow/openpgp-best-practices) > .. [#DEVMANUAL-MANIFEST] Gentoo Development Guide: Manifest > (http://devmanual.gentoo.org/general-concepts/manifest/index.html) > .. [#GNUPG-USER] GnuPG Gentoo User Guide > (http://www.gentoo.org/doc/en/gnupg-user.xml) > -- Brian Dolbec <[email protected]>
signature.asc
Description: This is a digitally signed message part
