Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

2012-10-17 Thread Kacper Kowalik
On 17.10.2012 03:30, Patrick Lauer wrote: > On 10/17/12 06:54, Robin H. Johnson wrote: >> Hi all, >> >> One of the items that has come up in the Git conversion, and needs some >> attention. >> > [snip] >> >> As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what >> was originally

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

2012-10-17 Thread Zac Medico
On 10/17/2012 12:16 AM, Michał Górny wrote: > On Tue, 16 Oct 2012 22:54:04 + > "Robin H. Johnson" wrote: >> As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what >> was originally intended. >> >> - You must specify a key or subkey exactly. >> - The leading "0x" is optional.

[gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

2012-10-17 Thread Michał Górny
On Tue, 16 Oct 2012 22:54:04 + "Robin H. Johnson" wrote: > Previously, the PORTAGE_GPG_KEY variable has allowed ANY argument, and > passed it to GPG, letting GPG use that. This was intended to explicitly > be a unique identifier for a key (or subkey). > > However, it seems that there are sig

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

2012-10-16 Thread Peter Stuge
Rich Freeman wrote: > PKI becomes a nightmare if anybody but devs sign, and when we move to > git it won't really be possible to have anybody else sign anyway > unless we allow merge commits, which is just a whole different mess. I'm not sure? Signatures can be made on anything by anyone and store

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

2012-10-16 Thread Rich Freeman
On Tue, Oct 16, 2012 at 9:30 PM, Patrick Lauer wrote: > That's nice. Can we also add some basic policies on key format (key > length, validity) and get a centrally-hosted keyring? > > Then it'd even make sense for us to start using the whole signing thing > now :) Well, if we're going to do that

[gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

2012-10-16 Thread Patrick Lauer
On 10/17/12 06:54, Robin H. Johnson wrote: > Hi all, > > One of the items that has come up in the Git conversion, and needs some > attention. > [snip] > > As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what > was originally intended. > > - You must specify a key or subkey e

Re: [gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

2012-10-16 Thread Robin H. Johnson
On Wed, Oct 17, 2012 at 08:53:14AM +0800, Ben de Groot wrote: > > Additionally, while we are NOT enforcing the use of long key-ids > > presently, I strongly encourage ALL developers to move to using them, > > due to known attacks against short ids: > > http://www.asheesh.org/note/debian/short-key-i

[gentoo-dev] Re: [gentoo-dev-announce] PORTAGE_GPG_KEY strictness

2012-10-16 Thread Ben de Groot
On Oct 17, 2012 6:57 AM, "Robin H. Johnson" wrote: > > Hi all, > > One of the items that has come up in the Git conversion, and needs some > attention. > > Previously, the PORTAGE_GPG_KEY variable has allowed ANY argument, and > passed it to GPG, letting GPG use that. This was intended to explicit