[gentoo-dev] [PATCH v4 07/14] glep-0063: Change the recommended RSA key size to 2048 bits

2018-07-06 Thread Michał Górny
Change the recommended key size recommendation for RSA from 4096 bits to 2048 bits. Use of larger keys is unjustified due to negligible gain in security, and recommending RSA-4096 unnecessarily resulted in developers replacing their RSA-2048 keys for no good reason. --- glep-0063.rst | 20

[gentoo-dev] [PATCH v4 05/14] glep-0063: Split out the signing subkey into a separate point

2018-07-06 Thread Michał Górny
Reword the specification to express the requirement for separate signing subkey more verbosely. Replace the ambiguous term 'dedicated' with clear explanation that it needs to be different from the primary key and not used for other purposes. Suggested-by: Kristian Fiskerstrand ---

[gentoo-dev] [PATCH v4 06/14] glep-0063: Explain minimal & recommended sections

2018-07-06 Thread Michał Górny
--- glep-0063.rst | 8 1 file changed, 8 insertions(+) diff --git a/glep-0063.rst b/glep-0063.rst index 05e5e9d..a93e6ac 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -41,6 +41,10 @@ Specifications for OpenPGP keys Bare minimum requirements - +This

[gentoo-dev] [PATCH v4 03/14] glep-0063: 'Gentoo subkey' → 'Signing subkey'

2018-07-06 Thread Michał Górny
Replace the 'Gentoo subkey' term that might wrongly suggest that the developers are expected to create an additional, dedicated subkey for Gentoo. Suggested-by: Kristian Fiskerstrand --- glep-0063.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/glep-0063.rst

[gentoo-dev] [PATCH v4 04/14] glep-0063: Root key → primary key

2018-07-06 Thread Michał Górny
Replace the custom term 'root key' with much more common 'primary key'. This is also the term used in GnuPG output. --- glep-0063.rst | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index 6be2555..940612c 100644 --- a/glep-0063.rst +++

[gentoo-dev] [PATCH v4 02/14] glep-0063: RSAv4 -> OpenPGP v4 key format

2018-07-06 Thread Michał Górny
Replace the 'RSAv4' with 'OpenPGP v4 key format'. The RSA algorithm does not really have versions, and the author most likely meant the v4 of OpenPGP key format as outlined in RFC 4880, section 12.1. This was figured out and explained to me by Kristian Fiskerstrand. --- glep-0063.rst | 4 ++--

[gentoo-dev] [PATCH v4 01/14] glep-0063: Use 'OpenPGP' as appropriate

2018-07-06 Thread Michał Górny
Replace many of the incorrect uses of GPG/GnuPG [key] with OpenPGP. G[nu]PG has been left where the text clearly refers to the specific implementation of OpenPGP rather than the standard itself. --- glep-0063.rst | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-)

[gentoo-dev] [PATCH v4 00/14] GLEP 63 update

2018-07-06 Thread Michał Górny
Hi, Here's the next iteration of the GLEP, integrating even more suggestions from developers. Full text below. Also, please do not reply to previous versions, as this is making the discussion really hard to follow. -- Best regards, Michał Górny Michał Górny (14): glep-0063: Use 'OpenPGP' as

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 08∶40 +0200, użytkownik Ulrich Mueller napisał: > > > > > > On Fri, 06 Jul 2018, Michał Górny wrote: > > Did you even read the text? It's 'at most 2 years'. If you renew it > > every year, you can achieve the desired effect while keeping far > > ahead of the

Re: [gentoo-dev] [PATCH v3 00/12] GLEP 63 update

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 21∶26 -0400, użytkownik Richard Yao napisał: > > On Jul 5, 2018, at 4:53 PM, Michał Górny wrote: > > > > Hi, > > > > Here's third version of the patches. I've incorporated the feedback > > so far and reordered the patches (again) to restore their > >

Re: [gentoo-dev] Re: [PATCH v3 00/12] GLEP 63 update

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 06∶36 +, użytkownik Robin H. Johnson napisał: > On Thu, Jul 05, 2018 at 10:53:51PM +0200, Michał Górny wrote: > > Here's third version of the patches. I've incorporated the feedback > > so far and reordered the patches (again) to restore their > >

Re: [gentoo-dev] [PATCH v3 00/12] GLEP 63 update

2018-07-06 Thread Richard Yao
> On Jul 5, 2018, at 4:53 PM, Michał Górny wrote: > > Hi, > > Here's third version of the patches. I've incorporated the feedback > so far and reordered the patches (again) to restore their > degree-of-compatibility order. The full text is included below. > > > Michał Górny (12): >

Re: [gentoo-dev] Re: [PATCH v3 00/12] GLEP 63 update

2018-07-06 Thread Christopher Head
>> > 4. Expiration date on key and all subkeys set to at most 2 years >> >> -at most 2 years. >> +at most 2 years from generation or refresh of expiry. > >Now, this won't really work because it's self-propagating date. You're >soon going to see keys with 10 years to expiration because if you

Re: [gentoo-dev] rfc: killing mediawiki

2018-07-06 Thread Ulrich Mueller
> On Fri, 6 Jul 2018, Kent Fredric wrote: > On Thu, 5 Jul 2018 12:32:20 -0500 > William Hubbs wrote: >> I looked at this first, and it is very hard on the server. >> Every pull or clone you do to update things works like an initial >> clone, so it takes pretty massive resources. > Surely,

Re: [gentoo-dev] rfc: killing mediawiki

2018-07-06 Thread William Hubbs
On Fri, Jul 06, 2018 at 12:34:33PM +1200, Kent Fredric wrote: > On Thu, 5 Jul 2018 12:32:20 -0500 > William Hubbs wrote: > > > I looked at this first, and it is very hard on the server. > > Every pull or clone you do to update things works like an initial clone, > > so it takes pretty massive

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 16∶21 +0200, użytkownik Marc Schiffbauer napisał: > * Kristian Fiskerstrand schrieb am 06.07.18 um 13:00 Uhr: > > On 07/05/2018 05:37 PM, Marc Schiffbauer wrote: > > > I have my primary key offline only, so renewing/editing it is a much > > > more time consuming

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Marc Schiffbauer
* Kristian Fiskerstrand schrieb am 06.07.18 um 13:00 Uhr: > On 07/05/2018 05:37 PM, Marc Schiffbauer wrote: > > I have my primary key offline only, so renewing/editing it is a much > > more time consuming matter than if I had my primary key always with me > > which I consider a bad idea because

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Fabian Groffen
On 06-07-2018 13:34:21 +0200, Ulrich Mueller wrote: > - Make creation of a revocation certificate (and storing it in a place > separate from the key) mandatory. What does this really achieve? Or require? Am I supposed to buy or hire a vault now? -- I'm assuming the word "safe" is missing

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Kristian Fiskerstrand
On 07/06/2018 01:34 PM, Ulrich Mueller wrote: > Note that the revocation certificate is still listed under > recommendations only, so devs need not create one. Making this a > requirement would be a real improvement, IMHO. From a Gentoo perspective, we can "revoke" it by deleting it from LDAP and

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 13∶34 +0200, użytkownik Ulrich Mueller napisał: > > > > > > On Fri, 6 Jul 2018, Marc Schiffbauer wrote: > > * Michał Górny schrieb am 06.07.18 um 11:33 Uhr: > > > If you don't see it for 5 years, how can you be sure that it is > > > even still there? > > Are you

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Ulrich Mueller
> On Fri, 6 Jul 2018, Marc Schiffbauer wrote: > * Michał Górny schrieb am 06.07.18 um 11:33 Uhr: >> If you don't see it for 5 years, how can you be sure that it is >> even still there? > Are you serious? Who tells you that I do not check from time to > time? > I am sure there will always be

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Kristian Fiskerstrand
On 07/05/2018 05:37 PM, Marc Schiffbauer wrote: > I have my primary key offline only, so renewing/editing it is a much > more time consuming matter than if I had my primary key always with me > which I consider a bad idea because you do not need to. But is it sufficiently time-consuming /

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Marc Schiffbauer
* Michał Górny schrieb am 06.07.18 um 11:33 Uhr: > W dniu pią, 06.07.2018 o godzinie 11∶08 +0200, użytkownik Marc > Schiffbauer napisał: > > * Michał Górny schrieb am 05.07.18 um 20:25 Uhr: > > > W dniu czw, 05.07.2018 o godzinie 17∶37 +0200, użytkownik Marc > > > Schiffbauer napisał: > > > > +1

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 11∶08 +0200, użytkownik Marc Schiffbauer napisał: > * Michał Górny schrieb am 05.07.18 um 20:25 Uhr: > > W dniu czw, 05.07.2018 o godzinie 17∶37 +0200, użytkownik Marc > > Schiffbauer napisał: > > > +1 for 5 years or at least 3. > > > > > > Having to renew/edit

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-06 Thread Marc Schiffbauer
* Michał Górny schrieb am 05.07.18 um 20:25 Uhr: > W dniu czw, 05.07.2018 o godzinie 17∶37 +0200, użytkownik Marc > Schiffbauer napisał: > > +1 for 5 years or at least 3. > > > > Having to renew/edit the key each year seems crazy to me. > > > > I have my primary key offline only, so

[gentoo-dev] Packages / Project up for grabs

2018-07-06 Thread Manuel Rüger
Hi, as I want to keep my work on Gentoo focussed, the following packages are up for grabs as I don't use them: app-admin/certmgr app-emulation/hyperd app-emulation/runv dev-haskell/pgp-wordlist dev-haskell/parser-combinators dev-haskell/prettyprinter dev-libs/onigmo dev-python/grafanalib

Re: [gentoo-dev] [PATCH v2 10/11] glep-0063: Require renewal 2 weeks before expiration

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 10∶11 +0200, użytkownik Manuel Rüger napisał: > I disagree with adding this as a requirement. > > Services should explicitly fail to work with expired GPG keys, key > renewal times should be at the key owner's descretion. > This should still be a recommendation

Re: [gentoo-dev] [PATCH v3 08/12] glep-0063: Allow ECC curve 25519 keys

2018-07-06 Thread Kristian Fiskerstrand
On 07/06/2018 07:49 AM, Ulrich Mueller wrote: >> On Thu, 5 Jul 2018, Jonas Stein wrote: > >>> b. RSA, >=2048 bits (OpenPGP v4 key format or later only) >>> >>> + c. ECC curve 25519 >>> + >>> 4. Key expiry: 5 years maximum >>> 5. Upload your key to the SKS keyserver rotation before usage! >

Re: [gentoo-dev] [PATCH v2 10/11] glep-0063: Require renewal 2 weeks before expiration

2018-07-06 Thread Manuel Rüger
I disagree with adding this as a requirement. Services should explicitly fail to work with expired GPG keys, key renewal times should be at the key owner's descretion. This should still be a recommendation that guarantees the key owner to continue work without interruption. Thanks, Manuel On

Re: [gentoo-dev] Re: [PATCH v3 00/12] GLEP 63 update

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 06∶36 +, użytkownik Robin H. Johnson napisał: > On Thu, Jul 05, 2018 at 10:53:51PM +0200, Michał Górny wrote: > > Here's third version of the patches. I've incorporated the feedback > > so far and reordered the patches (again) to restore their > >

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Brian Dolbec
On Fri, 06 Jul 2018 08:51:12 +0200 Michał Górny wrote: > W dniu pią, 06.07.2018 o godzinie 06∶28 +, użytkownik Robin H. > Johnson napisał: > > On Fri, Jul 06, 2018 at 08:18:32AM +0200, Michał Górny wrote: > > > > option a) > > > > 2 years + N: > > > > 2 weeks <= N <= 3 months. > > > > > >

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Brian Dolbec
On Fri, 06 Jul 2018 08:18:32 +0200 Michał Górny wrote: > W dniu pią, 06.07.2018 o godzinie 06∶08 +, użytkownik Robin H. > Johnson napisał: > > On Fri, Jul 06, 2018 at 07:43:56AM +0200, Ulrich Mueller wrote: > > > > > > > > On Thu, 5 Jul 2018, Michał Górny wrote: > > > > Replace the

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 08∶40 +0200, użytkownik Ulrich Mueller napisał: > > > > > > On Fri, 06 Jul 2018, Michał Górny wrote: > > Did you even read the text? It's 'at most 2 years'. If you renew it > > every year, you can achieve the desired effect while keeping far > > ahead of the

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 06∶28 +, użytkownik Robin H. Johnson napisał: > On Fri, Jul 06, 2018 at 08:18:32AM +0200, Michał Górny wrote: > > > option a) > > > 2 years + N: > > > 2 weeks <= N <= 3 months. > > > > > > option b) > > > Change the wording to be 'at most 2 years' instead of

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Ulrich Mueller
> On Fri, 06 Jul 2018, Michał Górny wrote: > Did you even read the text? It's 'at most 2 years'. If you renew it > every year, you can achieve the desired effect while keeping far > ahead of the required schedule. So effectively we're down from 5 years to 1 year also for the main key, as a

[gentoo-dev] Re: [PATCH v3 00/12] GLEP 63 update

2018-07-06 Thread Robin H. Johnson
On Thu, Jul 05, 2018 at 10:53:51PM +0200, Michał Górny wrote: > Here's third version of the patches. I've incorporated the feedback > so far and reordered the patches (again) to restore their > degree-of-compatibility order. The full text is included below. ... > v2 > The distinct minimal and

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Robin H. Johnson
On Fri, Jul 06, 2018 at 08:18:32AM +0200, Michał Górny wrote: > > option a) > > 2 years + N: > > 2 weeks <= N <= 3 months. > > > > option b) > > Change the wording to be 'at most 2 years' instead of 'exactly 2 years'. > That *is* the wording. I apologize. I took ulm's post as canonical and didn't

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Ulrich Mueller
> On Fri, 6 Jul 2018, Robin H Johnson wrote: > On Fri, Jul 06, 2018 at 07:43:56AM +0200, Ulrich Mueller wrote: >> Still NACK. If expiration is exactly 2 years and renewal must happen >> 2 weeks before the expiry date, then it is not possible to keep the >> same date. >> >> Example: The key

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 06∶08 +, użytkownik Robin H. Johnson napisał: > On Fri, Jul 06, 2018 at 07:43:56AM +0200, Ulrich Mueller wrote: > > > > > > > On Thu, 5 Jul 2018, Michał Górny wrote: > > > Replace the disjoint 'minimum' and 'recommendation' for expiration > > > with a single

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Michał Górny
W dniu pią, 06.07.2018 o godzinie 07∶43 +0200, użytkownik Ulrich Mueller napisał: > > > > > > On Thu, 5 Jul 2018, Michał Górny wrote: > > Replace the disjoint 'minimum' and 'recommendation' for expiration > > with a single requirement. Make it 2 years. Also, remove disjoint > > expiration

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-06 Thread Robin H. Johnson
On Fri, Jul 06, 2018 at 07:43:56AM +0200, Ulrich Mueller wrote: > > On Thu, 5 Jul 2018, Michał Górny wrote: > > > Replace the disjoint 'minimum' and 'recommendation' for expiration > > with a single requirement. Make it 2 years. Also, remove disjoint > > expiration recommendation for the