Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Fri, Dec 18, 2020 at 2:45 AM Ulrich Mueller wrote: > > > On Thu, 17 Dec 2020, Mike Gilbert wrote: > > > Doesn't the same restriction apply to relicensing it? > > No, because the CC licenses have an explicit provision that allows it > when distributing a modified work (which they call an "Adaptation", > defined in section 1a). > > For example, CC-BY-SA-3.0 says in section 4b: > >You may Distribute or Publicly Perform an Adaptation only under the >terms of: (i) this License; (ii) a later version of this License with >the same License Elements as this License; (iii) a Creative Commons >jurisdiction license (either this or a later license version) that >contains the same License Elements as this License (e.g., >Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible >License. [...] > > Item (ii) is what gives us the right to distribute under CC-BY-SA-4.0. Thank you for taking the time to explain this.
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
> On Thu, 17 Dec 2020, Mike Gilbert wrote: > Doesn't the same restriction apply to relicensing it? No, because the CC licenses have an explicit provision that allows it when distributing a modified work (which they call an "Adaptation", defined in section 1a). For example, CC-BY-SA-3.0 says in section 4b: You may Distribute or Publicly Perform an Adaptation only under the terms of: (i) this License; (ii) a later version of this License with the same License Elements as this License; (iii) a Creative Commons jurisdiction license (either this or a later license version) that contains the same License Elements as this License (e.g., Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible License. [...] Item (ii) is what gives us the right to distribute under CC-BY-SA-4.0. Ulrich signature.asc Description: PGP signature
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On 2020-12-18 01:24, Mike Gilbert wrote: The GLEP already mentions the SKS keyserver pool, and the Gentoo LDAP directory. Are these not also "implementation details"? Hrm, I missed point 7. In this case how about replacing Upload your key to the SKS keyserver rotation before usage! with Upload your key to the keyservers [11] before usage! > > [...] > > References > > [...] > [11] Gentoo Wiki: Upload GLEP 63 based OpenPGP keys to keyservers (https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys#Submit_your_new_key_to_the_keyserver) That's all I would do to keep as many details out of the specs. But maybe I am the only one who is so strict about the spec... I am just saying and asking for comments. -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 OpenPGP_signature Description: OpenPGP digital signature
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, Dec 17, 2020 at 6:58 PM Thomas Deutschmann wrote: > > Hi, > > sorry to be a show stopper here but I have to admit I don't like this > addition. > > If I remember correctly we were talking about this when we actively > worked on this GLEP and decided to not put put anything like that into > GLEP because this is a implementation detail which doesn't belong into > 'specs'. > > We maybe can talk about adding just a reference link to the Wiki guide > but I don't believe we should add this to GLEP. The GLEP already mentions the SKS keyserver pool, and the Gentoo LDAP directory. Are these not also "implementation details"?
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
Hi, sorry to be a show stopper here but I have to admit I don't like this addition. If I remember correctly we were talking about this when we actively worked on this GLEP and decided to not put put anything like that into GLEP because this is a implementation detail which doesn't belong into 'specs'. We maybe can talk about adding just a reference link to the Wiki guide but I don't believe we should add this to GLEP. -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 OpenPGP_signature Description: OpenPGP digital signature
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, Dec 17, 2020 at 5:03 PM Ulrich Mueller wrote: > > > On Thu, 17 Dec 2020, Mike Gilbert wrote: > > > Should I also drop the explicit copyright notice? > > >> Copyright (c) 2013-2019 by Robin Hugh Johnson, Andreas K. Hüttel, > >> Marissa Fischer, Michał Górny. > > I think that a GLEP shouldn't have such a notice (after all, authors > are listed in the GLEP's header), but you cannot remove it without > permission of all authors. Doesn't the same restriction apply to relicensing it?
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
> On Thu, 17 Dec 2020, Mike Gilbert wrote: > Should I also drop the explicit copyright notice? >> Copyright (c) 2013-2019 by Robin Hugh Johnson, Andreas K. Hüttel, >> Marissa Fischer, Michał Górny. I think that a GLEP shouldn't have such a notice (after all, authors are listed in the GLEP's header), but you cannot remove it without permission of all authors. signature.asc Description: PGP signature
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, Dec 17, 2020 at 4:31 PM Ulrich Mueller wrote: > > Please also update the license of the GLEP to CC-BY-SA-4.0 [1]. > See for example glep-0001.rst for the new footer. > > [1] > https://www.gentoo.org/glep/glep-0001.html#what-belongs-in-a-successful-glep > (item 8) Should I also drop the explicit copyright notice? > Copyright (c) 2013-2019 by Robin Hugh Johnson, Andreas K. Hüttel, > Marissa Fischer, Michał Górny.
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
Please also update the license of the GLEP to CC-BY-SA-4.0 [1]. See for example glep-0001.rst for the new footer. [1] https://www.gentoo.org/glep/glep-0001.html#what-belongs-in-a-successful-glep (item 8) signature.asc Description: PGP signature
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, 2020-12-17 at 15:15 -0500, Mike Gilbert wrote: > On Thu, Dec 17, 2020 at 3:03 PM Aaron W. Swenson > wrote: > > > > On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote: > > > Signed-off-by: Mike Gilbert > > > --- > > > > > > v2: Added "This upload is required in addition to uploading the > > > SKS pool." > > > > > > glep-0063.rst | 24 > > > 1 file changed, 20 insertions(+), 4 deletions(-) > > > > > > diff --git a/glep-0063.rst b/glep-0063.rst > > > index 82541bd..ec465db 100644 > > > --- a/glep-0063.rst > > > +++ b/glep-0063.rst > > > @@ -7,10 +7,10 @@ Author: Robin H. Johnson , > > > Michał Górny > > > Type: Standards Track > > > Status: Final > > > -Version: 2.1 > > > +Version: 2.2 > > > Created: 2013-02-18 > > > -Last-Modified: 2019-11-07 > > > -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 > > > +Last-Modified: 2020-12-17 > > > +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, > > > 2020-12-17 > > > Content-Type: text/x-rst > > > --- > > > > > > @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo > > > Linux distribution. > > > Changes > > > === > > > > > > +v2.2 > > > + Added "Gentoo Keyserver" section under "Gentoo Infrastructure" > > > chapter. > > > + > > > v2.1 > > > A requirement for an encryption key has been added, in order to > > > extend > > > the GLEP beyond commit signing and into use of OpenPGP for dev- > > > to-dev > > > @@ -135,8 +138,11 @@ their primary key). > > > > > > 5. Encrypted backup of your secret keys. > > > > > > +Gentoo Infrstructure > > > + > > > + > > > Gentoo LDAP > > > -=== > > > +--- > > > > > > All Gentoo developers must list the complete fingerprint for > > > their primary > > > keys in the "``gpgfingerprint``" LDAP field. It must be exactly > > > 40 hex digits, > > > @@ -147,6 +153,16 @@ of the fingerprint field. In any place that > > > presently displays > > > the "``gpgkey``" field, the last 16 hex digits of the fingerprint > > > should > > > be displayed instead. > > > > > > +Gentoo Keyserver > > > + > > > + > > > +Gentoo infrastructure uses a keyserver that is isolated from the > > > SKS pool. > > > +This keyserver is restricted to accepting uploads from > > > authorized Gentoo hosts. > > > +A script is provided on dev.gentoo.org to allow developers to > > > upload their > > > +keys. This upload is required in addition to uploading to the > > > SKS pool. > > > + > > > +``gpg --export KEYID | ssh dev.gentoo.org > > > /usr/local/bin/openpgp-key-upload`` > > > + > > > Backwards Compatibility > > > === > > > > > > -- > > > 2.30.0.rc0 > > > > > > > > > > Thanks for doing this! You beat me to the punch. I was going to try > > getting to > > it tomorrow. > > > > It may be good to also change step 7 under "Bare minimum > > requirements" to read: > > > > 7. Upload your key to the Gentoo Keyserver before usage! > > > > It'd give skimmers a trigger to look for the Gentoo keyserver info. > > Sure, happy to make that change. > > > We might want to add "Upload to the SKS or some other public PGP > > pool" under > > "Recommendations", but that's probably beyond the scope of the > > document now. > > I think it makes sense to move the SKS instruction to the > recommendations section. > > > Lastly, should we have a link to the step-by-step guide? [1] > > > > [1]: > > https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys > > I'm not sure I like the idea of referring the user to a wiki article > in the GLEP. What do others think of this? > > If others agree, please propose some language/location to insert it, > or send a patch of your own (feel free to use my patch as a starting > point). > I think we should actually have some dedicated info page purely for Infra keyserver. Possibly by replacing the index of https://keys.gentoo.org. Infra will look into it. -- Best regards, Michał Górny
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, Dec 17, 2020 at 3:03 PM Aaron W. Swenson wrote: > > On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote: > >Signed-off-by: Mike Gilbert > >--- > > > >v2: Added "This upload is required in addition to uploading the SKS pool." > > > > glep-0063.rst | 24 > > 1 file changed, 20 insertions(+), 4 deletions(-) > > > >diff --git a/glep-0063.rst b/glep-0063.rst > >index 82541bd..ec465db 100644 > >--- a/glep-0063.rst > >+++ b/glep-0063.rst > >@@ -7,10 +7,10 @@ Author: Robin H. Johnson , > > Michał Górny > > Type: Standards Track > > Status: Final > >-Version: 2.1 > >+Version: 2.2 > > Created: 2013-02-18 > >-Last-Modified: 2019-11-07 > >-Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 > >+Last-Modified: 2020-12-17 > >+Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17 > > Content-Type: text/x-rst > > --- > > > >@@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux > >distribution. > > Changes > > === > > > >+v2.2 > >+ Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter. > >+ > > v2.1 > > A requirement for an encryption key has been added, in order to extend > > the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev > >@@ -135,8 +138,11 @@ their primary key). > > > > 5. Encrypted backup of your secret keys. > > > >+Gentoo Infrstructure > >+ > >+ > > Gentoo LDAP > >-=== > >+--- > > > > All Gentoo developers must list the complete fingerprint for their primary > > keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex > > digits, > >@@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently > >displays > > the "``gpgkey``" field, the last 16 hex digits of the fingerprint should > > be displayed instead. > > > >+Gentoo Keyserver > >+ > >+ > >+Gentoo infrastructure uses a keyserver that is isolated from the SKS pool. > >+This keyserver is restricted to accepting uploads from authorized Gentoo > >hosts. > >+A script is provided on dev.gentoo.org to allow developers to upload their > >+keys. This upload is required in addition to uploading to the SKS pool. > >+ > >+``gpg --export KEYID | ssh dev.gentoo.org > >/usr/local/bin/openpgp-key-upload`` > >+ > > Backwards Compatibility > > === > > > >-- > >2.30.0.rc0 > > > > > > Thanks for doing this! You beat me to the punch. I was going to try getting to > it tomorrow. > > It may be good to also change step 7 under "Bare minimum requirements" to > read: > > 7. Upload your key to the Gentoo Keyserver before usage! > > It'd give skimmers a trigger to look for the Gentoo keyserver info. Sure, happy to make that change. > We might want to add "Upload to the SKS or some other public PGP pool" under > "Recommendations", but that's probably beyond the scope of the document now. I think it makes sense to move the SKS instruction to the recommendations section. > Lastly, should we have a link to the step-by-step guide? [1] > > [1]: > https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys I'm not sure I like the idea of referring the user to a wiki article in the GLEP. What do others think of this? If others agree, please propose some language/location to insert it, or send a patch of your own (feel free to use my patch as a starting point).
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote: Signed-off-by: Mike Gilbert --- v2: Added "This upload is required in addition to uploading the SKS pool." glep-0063.rst | 24 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index 82541bd..ec465db 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -7,10 +7,10 @@ Author: Robin H. Johnson , Michał Górny Type: Standards Track Status: Final -Version: 2.1 +Version: 2.2 Created: 2013-02-18 -Last-Modified: 2019-11-07 -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 +Last-Modified: 2020-12-17 +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17 Content-Type: text/x-rst --- @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution. Changes === +v2.2 + Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter. + v2.1 A requirement for an encryption key has been added, in order to extend the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev @@ -135,8 +138,11 @@ their primary key). 5. Encrypted backup of your secret keys. +Gentoo Infrstructure + + Gentoo LDAP -=== +--- All Gentoo developers must list the complete fingerprint for their primary keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits, @@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently displays the "``gpgkey``" field, the last 16 hex digits of the fingerprint should be displayed instead. +Gentoo Keyserver + + +Gentoo infrastructure uses a keyserver that is isolated from the SKS pool. +This keyserver is restricted to accepting uploads from authorized Gentoo hosts. +A script is provided on dev.gentoo.org to allow developers to upload their +keys. This upload is required in addition to uploading to the SKS pool. + +``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload`` + Backwards Compatibility === -- 2.30.0.rc0 Thanks for doing this! You beat me to the punch. I was going to try getting to it tomorrow. It may be good to also change step 7 under "Bare minimum requirements" to read: 7. Upload your key to the Gentoo Keyserver before usage! It'd give skimmers a trigger to look for the Gentoo keyserver info. We might want to add "Upload to the SKS or some other public PGP pool" under "Recommendations", but that's probably beyond the scope of the document now. Lastly, should we have a link to the step-by-step guide? [1] [1]: https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys signature.asc Description: PGP signature
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, Dec 17, 2020 at 08:27:44PM +0100, Michał Górny wrote: > Thank you for doing this. > > That said, I'm wondering if we should keep SKS pool at all. Did anyone > have any success interacting with it lately? All my attempts of > fetching keys are resulting in server errors. Yes, it worked for me 2 weeks ago when I fetched some keys from a local SKS node to correspond with an upstream developer about a potential security issue recently. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 signature.asc Description: PGP signature
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, Dec 17, 2020 at 1:44 PM Davide Pesavento wrote: > > On Thu, Dec 17, 2020 at 1:12 PM Mike Gilbert wrote: > > > > Signed-off-by: Mike Gilbert > > --- > > > > v2: Added "This upload is required in addition to uploading the SKS pool." > > > > glep-0063.rst | 24 > > 1 file changed, 20 insertions(+), 4 deletions(-) > > > > diff --git a/glep-0063.rst b/glep-0063.rst > > index 82541bd..ec465db 100644 > > --- a/glep-0063.rst > > +++ b/glep-0063.rst > > @@ -7,10 +7,10 @@ Author: Robin H. Johnson , > > Michał Górny > > Type: Standards Track > > Status: Final > > -Version: 2.1 > > +Version: 2.2 > > Created: 2013-02-18 > > -Last-Modified: 2019-11-07 > > -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 > > +Last-Modified: 2020-12-17 > > +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17 > > Content-Type: text/x-rst > > --- > > > > @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux > > distribution. > > Changes > > === > > > > +v2.2 > > + Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter. > > + > > v2.1 > >A requirement for an encryption key has been added, in order to extend > >the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev > > @@ -135,8 +138,11 @@ their primary key). > > > > 5. Encrypted backup of your secret keys. > > > > +Gentoo Infrstructure > > Typo. Thanks, fixed locally.
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, 2020-12-17 at 13:12 -0500, Mike Gilbert wrote: > Signed-off-by: Mike Gilbert > --- > > v2: Added "This upload is required in addition to uploading the SKS > pool." > > glep-0063.rst | 24 > 1 file changed, 20 insertions(+), 4 deletions(-) > > diff --git a/glep-0063.rst b/glep-0063.rst > index 82541bd..ec465db 100644 > --- a/glep-0063.rst > +++ b/glep-0063.rst > @@ -7,10 +7,10 @@ Author: Robin H. Johnson , > Michał Górny > Type: Standards Track > Status: Final > -Version: 2.1 > +Version: 2.2 > Created: 2013-02-18 > -Last-Modified: 2019-11-07 > -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 > +Last-Modified: 2020-12-17 > +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020- > 12-17 > Content-Type: text/x-rst > --- > > @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo > Linux distribution. > Changes > === > > +v2.2 > + Added "Gentoo Keyserver" section under "Gentoo Infrastructure" > chapter. > + > v2.1 > A requirement for an encryption key has been added, in order to > extend > the GLEP beyond commit signing and into use of OpenPGP for dev-to- > dev > @@ -135,8 +138,11 @@ their primary key). > > 5. Encrypted backup of your secret keys. > > +Gentoo Infrstructure T > + > + > Gentoo LDAP > -=== > +--- > > All Gentoo developers must list the complete fingerprint for their > primary > keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 > hex digits, > @@ -147,6 +153,16 @@ of the fingerprint field. In any place that > presently displays > the "``gpgkey``" field, the last 16 hex digits of the fingerprint > should > be displayed instead. > > +Gentoo Keyserver > + > + > +Gentoo infrastructure uses a keyserver that is isolated from the SKS > pool. > +This keyserver is restricted to accepting uploads from authorized > Gentoo hosts. > +A script is provided on dev.gentoo.org to allow developers to upload > their > +keys. This upload is required in addition to uploading to the SKS > pool. > + > +``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp- > key-upload`` > + > Backwards Compatibility > === Thank you for doing this. That said, I'm wondering if we should keep SKS pool at all. Did anyone have any success interacting with it lately? All my attempts of fetching keys are resulting in server errors. -- Best regards, Michał Górny
Re: [gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
On Thu, Dec 17, 2020 at 1:12 PM Mike Gilbert wrote: > > Signed-off-by: Mike Gilbert > --- > > v2: Added "This upload is required in addition to uploading the SKS pool." > > glep-0063.rst | 24 > 1 file changed, 20 insertions(+), 4 deletions(-) > > diff --git a/glep-0063.rst b/glep-0063.rst > index 82541bd..ec465db 100644 > --- a/glep-0063.rst > +++ b/glep-0063.rst > @@ -7,10 +7,10 @@ Author: Robin H. Johnson , > Michał Górny > Type: Standards Track > Status: Final > -Version: 2.1 > +Version: 2.2 > Created: 2013-02-18 > -Last-Modified: 2019-11-07 > -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 > +Last-Modified: 2020-12-17 > +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17 > Content-Type: text/x-rst > --- > > @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux > distribution. > Changes > === > > +v2.2 > + Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter. > + > v2.1 >A requirement for an encryption key has been added, in order to extend >the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev > @@ -135,8 +138,11 @@ their primary key). > > 5. Encrypted backup of your secret keys. > > +Gentoo Infrstructure Typo. > + > + > Gentoo LDAP > -=== > +--- > > All Gentoo developers must list the complete fingerprint for their primary > keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex > digits, > @@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently > displays > the "``gpgkey``" field, the last 16 hex digits of the fingerprint should > be displayed instead. > > +Gentoo Keyserver > + > + > +Gentoo infrastructure uses a keyserver that is isolated from the SKS pool. > +This keyserver is restricted to accepting uploads from authorized Gentoo > hosts. > +A script is provided on dev.gentoo.org to allow developers to upload their > +keys. This upload is required in addition to uploading to the SKS pool. > + > +``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload`` > + > Backwards Compatibility > === > > -- > 2.30.0.rc0 > > The rest LGTM. Thanks, Davide
[gentoo-dev] [PATCH v2] glep-0063: Add section about the Gentoo keyserver
Signed-off-by: Mike Gilbert --- v2: Added "This upload is required in addition to uploading the SKS pool." glep-0063.rst | 24 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index 82541bd..ec465db 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -7,10 +7,10 @@ Author: Robin H. Johnson , Michał Górny Type: Standards Track Status: Final -Version: 2.1 +Version: 2.2 Created: 2013-02-18 -Last-Modified: 2019-11-07 -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 +Last-Modified: 2020-12-17 +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17 Content-Type: text/x-rst --- @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution. Changes === +v2.2 + Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter. + v2.1 A requirement for an encryption key has been added, in order to extend the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev @@ -135,8 +138,11 @@ their primary key). 5. Encrypted backup of your secret keys. +Gentoo Infrstructure + + Gentoo LDAP -=== +--- All Gentoo developers must list the complete fingerprint for their primary keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits, @@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently displays the "``gpgkey``" field, the last 16 hex digits of the fingerprint should be displayed instead. +Gentoo Keyserver + + +Gentoo infrastructure uses a keyserver that is isolated from the SKS pool. +This keyserver is restricted to accepting uploads from authorized Gentoo hosts. +A script is provided on dev.gentoo.org to allow developers to upload their +keys. This upload is required in addition to uploading to the SKS pool. + +``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload`` + Backwards Compatibility === -- 2.30.0.rc0
