On Thu, Apr 25, 2019 at 4:55 PM Kristian Fiskerstrand <k...@gentoo.org> wrote:
> Quite frankly I'd expect a Gentoo Developer to be able to manage the gpg
> interface.

Being able to is not the same as caring enough to be bothered with
it...  I don't want to custom-tailor my Gentoo key.  I just want to
generate a key that will make the commit scripts happy.  The key is
completely disposable from a personal standpoint - when the GLEP was
recently revised to make my old key no longer valid, I just generated
a new one.  I didn't even bother revoking the old one, since it had no
function as soon as I changed the fingerprint in LDAP.

I was generating PGP keys back when it used idea and I'm guessing md5.
I've had gpg keys for decades.  I used my personal one for Gentoo
until the point where there were specific requirements for a Gentoo
key, and rather than try to personally live with the Gentoo
requirements it makes far more sense to just generate a
Gentoo-specific key.  Then we can change the GLEP as often as we like
it it really doesn't bother me much.  I can just discard my key and
create a new one, though it would be nice if those creating the GLEPs
would actually document the simplest way to do this for those who
really can't be bothered to read the man page.

I mean, I'd expect any Gentoo dev to be able to figure out how to use
git as well, but git also has a terrible command line interface, so
rather than put a bunch of requirements in a document and force
everybody to dig through manpages to get it to generate signed
commits/pushes/etc we just give a handy workflow.  After all, our goal
is to maintain the repo, not spend all day independently decipering
how to sign pushes or figuring out that a commit sig and a push sig
are two different things.

Personally I think we ought to make it easier to just use the
Nitrokeys we spent all this money on in a more secure manner than just
leaving primary keys lying around on hard drives, which is where I
suspect the vast majority will reside, completely negating the expense
the Foundation and Nitrokey both went through to provide them for us.
While I'm all for GLEPs themselves sticking to specs, having a
workflow document to go along with it would go a long way to helping
devs to comply, rather than spending all our effort writing
increasingly clever scripts to yell at them when they aren't


Reply via email to