Re: [gentoo-dev] rejecting unsigned commits

2011-03-27 Thread Jeremy Olexa

On 03/24/2011 04:59 PM, Mike Frysinger wrote:


this is especially important for the people doing arch keywording
since they make a ton of commits.  i'm looking at you armin76.


One thing I don't get amidst this whole conversation is why I should 
sign a Manifest file when committing KEYWORDS or something equally as 
trivial like deleting ebuilds. By signing the Manifest, I interpret that 
as yes, I committed this Manifest file and yes I trust every hash in 
this Manifest file when in reality, I have no clue if the Manifest file 
is correct because I didn't inspect anything.


Am I missing something?

Thanks,
Jeremy



Re: [gentoo-dev] rejecting unsigned commits

2011-03-27 Thread Philipp Riegger
On Sun, 27 Mar 2011 17:04:56 -0500
Jeremy Olexa darks...@gentoo.org wrote:

  this is especially important for the people doing arch keywording
  since they make a ton of commits.  i'm looking at you armin76.  
 
 One thing I don't get amidst this whole conversation is why I should 
 sign a Manifest file when committing KEYWORDS or something equally as 
 trivial like deleting ebuilds. By signing the Manifest, I interpret
 that as yes, I committed this Manifest file and yes I trust every
 hash in this Manifest file when in reality, I have no clue if the
 Manifest file is correct because I didn't inspect anything.
 
 Am I missing something?

You sign, that you did this. More or less. The guy before you did the
same. If there is an error all previous revisions of the tree are
available and you can check, whose mistake it was. Nothing really
changes, but I can check whether a gentoo dev committed the change and
who it was (and that it was not anybody who hacked some rsync mirror).

Philipp

-- 



Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Peter Volkov
В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ? 

Why? Without policy on how we do that and more importantly how we check
that signing makes no sense...

-- 
Peter.




Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Andreas K. Huettel
On Friday 25 March 2011 11:11:12 Peter Volkov wrote:
 В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
  is there any reason we should allow people to commit unsigned
  Manifest's anymore ? 
 
 Why? Without policy on how we do that and more importantly how we check
 that signing makes no sense...
 

I guess it's more about starting somewhere and getting required stuff into 
place step by step...

-- 
Andreas K. Huettel
Gentoo Linux developer - kde, sci, arm, tex
dilfri...@gentoo.org
http://www.akhuettel.de/


signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Paweł Hajdan, Jr.
On 3/24/11 10:59 PM, Mike Frysinger wrote:
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?  generating/posting/enabling a gpg key is
 ridiculously easy and there's really no excuse for a dev to not have
 done this already.

Firstly, I'm excited we're moving towards a signed portage tree.

We can start with a repoman warning (yellow) and a transition period.

 when i look at the tree, the signed stats are stupid low:
 $ find *-* -maxdepth 2 -name Manifest | wc -l
 14438
 $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
 SIGNATURE' {} + | wc -l
 6032

If I'm interpreting the data correctly, about 43% of Manifest files are
signed. That's not too bad, I was expecting something more like 5%.

By the way, is it acceptable to use the same GPG key for e-mail and
signing packages?

Paweł Hajdan, Jr.



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Dane Smith
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/25/2011 07:55 AM, Paweł Hajdan, Jr. wrote:
 On 3/24/11 10:59 PM, Mike Frysinger wrote:
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?  generating/posting/enabling a gpg key is
 ridiculously easy and there's really no excuse for a dev to not have
 done this already.
 
 Firstly, I'm excited we're moving towards a signed portage tree.
 
 We can start with a repoman warning (yellow) and a transition period.
 
 when i look at the tree, the signed stats are stupid low:
 $ find *-* -maxdepth 2 -name Manifest | wc -l
 14438
 $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
 SIGNATURE' {} + | wc -l
 6032
 
 If I'm interpreting the data correctly, about 43% of Manifest files are
 signed. That's not too bad, I was expecting something more like 5%.
 
 By the way, is it acceptable to use the same GPG key for e-mail and
 signing packages?

Yes. In fact, I'd recommend it. Saves having to try to keep track of 2
keys / dev.

Having said that, for those that just use keys for e-mails (most of
us), it would make more sense to use full blow SSL certs in the long run.
(Mathematically, same thing. But a cert needs to be signed by a CA, and
we should ideally maintain a Gentoo CA.) I need to get up to speed with
the GLEP's pertaining to this. Let's just say I have a fair bit of
experience in this field. I may be able to offer some ideas /
suggestions. I would very much like to see this happen.

But for the meantime, yes, it's safe.

- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531op=index
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNjIO0AAoJEEsurZwMLhUxlsIP/2oaWnkWr160fj8027WA3Jbe
oI5dXXvZr2RDMxFXKcyx0qiTfVlhVClJIBn8wANf41uKmMh6azIN5Ug4cDk++0ku
qYXvIne4W65TCifU44h80AAOEVBLQwN+d2VCeq7/qu6qJp9PT1SIzCaZZCtRAvOK
NwH5ZuUTrcewa/SbADIwP2hbQiLs8m241XJNNWGcIgflbO0OhcvUPlLM6/fUS56X
364EUGDo/TAAtkrIhWKKD2xsRoPmmO2uE7euPNhI4pFGUbKXVtb5Lb/qY9iLDgYy
PciHr2yFwOY1P16hr51Dbo8b5rPAncIHJFBUBHd89OnZHCwkBUP1z7l1J13NfClw
/hoYQe0DO/CrWz2pKF4I3pxP1MnULKKB2ib8RFswCJY2mxKvGeGJoQyZpT/GtCGb
vN8o20Kd3Ci+CEpeIo3sqxt04kNoMvMLEq9ZJ++a8c0wijX63ChRL5/+qRxzGDtc
I9pN34RDuAuUck0Wp+R/TTG4Bjh5ixQkeh199NoqjNLA02rE0QVElm7PlIJxg36/
pp101gH68H0t6EGAFrnGHAG6w/8yAz+Mcm+4WLjpDAPSMXYahZXOCKFn9WV0WgBS
e0EG2xr8BD7SqUrZRSlxjGsbFVCVaGvS9qFO4e2B4dKPy1mjwcTdBQRGZOfd3kGM
WDV73IcPr2K9cQFJD+Te
=yiPl
-END PGP SIGNATURE-



Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Michał Górny
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 25 Mar 2011 07:59:49 -0400
Dane Smith c1p...@gentoo.org wrote:

 Having said that, for those that just use keys for e-mails (most of
 us), it would make more sense to use full blow SSL certs in the long
 run. (Mathematically, same thing. But a cert needs to be signed by a
 CA, and we should ideally maintain a Gentoo CA.) I need to get up to
 speed with the GLEP's pertaining to this. Let's just say I have a
 fair bit of experience in this field. I may be able to offer some
 ideas / suggestions. I would very much like to see this happen.

How about Gentoo Foundation funding devs a full blown X509 client
certs?

- -- 
Best regards,
Michał Górny
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAk2MqicACgkQnGSe5QXeB7uMJwCfZ2vnDNdN1HyI9Jzcz9ddPnHO
EBwAni9LaXlGcyCp8Hj/MtD0VVSdQoRj
=dtD+
-END PGP SIGNATURE-


Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Andreas K. Huettel
  Having said that, for those that just use keys for e-mails (most of
  us), it would make more sense to use full blow SSL certs in the long
  run. (Mathematically, same thing. But a cert needs to be signed by a
  CA, and we should ideally maintain a Gentoo CA.) I need to get up to
  speed with the GLEP's pertaining to this. Let's just say I have a
  fair bit of experience in this field. I may be able to offer some
  ideas / suggestions. I would very much like to see this happen.
 
 How about Gentoo Foundation funding devs a full blown X509 client
 certs?

Please dont go for the SSL bloat... just my 2ct...

-- 
Andreas K. Huettel
Gentoo Linux developer - kde, sci, arm, tex
dilfri...@gentoo.org
http://www.akhuettel.de/


signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Paweł Hajdan, Jr.
On 3/25/11 3:43 PM, Michał Górny wrote:
 How about Gentoo Foundation funding devs a full blown X509 client
 certs?

Let's get signing and verifying working first, and then consider
anything that requires funding.



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Dane Smith
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/25/2011 11:04 AM, Paweł Hajdan, Jr. wrote:
 On 3/25/11 3:43 PM, Michał Górny wrote:
 How about Gentoo Foundation funding devs a full blown X509 client
 certs?
 
 Let's get signing and verifying working first, and then consider
 anything that requires funding.
 

+1

We do not need to get paid for X509 certs. We control portage. We
control the manifests. We do not need some third party CA to control the
certs used for signing. We have the infrastructure to do it ourselves.
For free. With us in control of the revocation etc.

- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531op=index
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNjK7xAAoJEEsurZwMLhUxfCMP+gNozbZ7aVFl3xejgDOoAych
ttvHp0bDHhIzBd+hO+GvQm6RSm/keHaBi3hX6Sv0IoxK3VARK4xZ7QHrgk2xEr1V
4+vIv44NBpEKbmF5ilm/hWReq1CXpRnef5aL+mdlfGY3FvCVrJjeaMEu15I/TwkJ
wD0fqYSZxZsHLoH0UCnCEew5MJlL8oT21vOVwXbSdZJ2YlpHoAjgR6AOmOTPl+pJ
2ZHnQ7H+tuQr8PxH50rEba6MyrEG0Djgg8NI+w0dNgZcrWm2ODA6o6pdmh+yXlS4
PzvSbwDXe4K6E5i3LHjVAd4OFWS2SY6mLNrBHYR0cI0D0ZtMY3Tab3MksIvuPFaY
X8WwZq5+oEXZgr2poeaKHl9FIoPTqa7eFQkQA3oOPGVb2T3vwpY4JinPvj4Eb5VN
Yd/GnJonbuWtUx6+98b0rBmjhu51vjh7T7BTThKJbuBIJ5KH9NynOAHWpTk6ZyBf
IIMoiEbL/zIr6ZJlIlBP5RlMOHrE2rP+e6D4mzmDOvVT4lIRhr25eCsh3k+K6lJ3
bbuYCCEaowmyMe/oEwrDPzuAdG+N3v4qjB7IvGebSKfv8PSqIBxOOiejAkeFKHFP
Z+2xE65eaAHrr3F2sp+FwhWF9SQy4AAP+wjt1NLrdJGAHasvpn3Dp8rQ9eJq0XFJ
HaUJZLyeEjWwe8md+jF4
=0aS+
-END PGP SIGNATURE-



Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Mike Frysinger
On Fri, Mar 25, 2011 at 6:11 AM, Peter Volkov wrote:
 В Чтв, 24/03/2011 в 17:59 -0400, Mike Frysinger пишет:
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?

 Why? Without policy on how we do that and more importantly how we check
 that signing makes no sense...

so you want to wait until we have a 100% fully automated checking
system in place before even attempting the first 1% ?  that doesnt
make much sense ... you have to start somewhere.

there's also nothing stopping people from verifying packages right now
by picking some keys to trust.  i can certainly verify a lot of
packages by following the web of trust that starts at my key.
-mike



Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Andreas K. Huettel
 i dont expect the rejection to go into effect $now, so people not
 signing have plenty of time to start doing so

Is the additional effort of implementing this for CVS with the current 
two-stage commit even worth it?

I.e. would it not make more sense to wait _with the automated rejection_ until 
we finally made the Big Jump To Git?!

This does not mean that we cannot prepare everything else in the meantime...

-- 
Andreas K. Huettel
Gentoo Linux developer - kde, sci, arm, tex
dilfri...@gentoo.org
http://www.akhuettel.de/


signature.asc
Description: This is a digitally signed message part.


Re: [gentoo-dev] rejecting unsigned commits

2011-03-25 Thread Eray Aslan
On 2011-03-25 1:59 PM, Dane Smith wrote:
 Having said that, for those that just use keys for e-mails (most of
 us), it would make more sense to use full blow SSL certs in the long run.

Please no.  PKI is a naive design and for all intents and purposes will
remain a pipe-dream.  All security relationships that is worth anything
is bilateral and no trusted third party is willing to accept enough risk
to warrent full trust.

Using public keys for auth is a good security model and the rest of x509
certs is just unnecessary overhead.  Let's not go there.  GPG is good
enough.
-- 
Eray Aslan
Developer, Gentoo Linux   eras at gentoo.org



signature.asc
Description: OpenPGP digital signature


[gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Mike Frysinger
is there any reason we should allow people to commit unsigned
Manifest's anymore ?  generating/posting/enabling a gpg key is
ridiculously easy and there's really no excuse for a dev to not have
done this already.

when i look at the tree, the signed stats are stupid low:
$ find *-* -maxdepth 2 -name Manifest | wc -l
14438
$ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
SIGNATURE' {} + | wc -l
6032

this is especially important for the people doing arch keywording
since they make a ton of commits.  i'm looking at you armin76.
-mike



Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Markos Chandras
On Thu, Mar 24, 2011 at 05:59:45PM -0400, Mike Frysinger wrote:
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?  generating/posting/enabling a gpg key is
 ridiculously easy and there's really no excuse for a dev to not have
 done this already.
 
 when i look at the tree, the signed stats are stupid low:
 $ find *-* -maxdepth 2 -name Manifest | wc -l
 14438
 $ find *-* -maxdepth 2 -name Manifest -exec grep -l 'BEGIN PGP
 SIGNATURE' {} + | wc -l
 6032
 
 this is especially important for the people doing arch keywording
 since they make a ton of commits.  i'm looking at you armin76.
 -mike
 
Yes, I recall a similar thread in the past but I can't find it. Whilst I
am always signing my commits  I can't really see a good argument on why
we should/should not do it.

Regards,
-- 
Markos Chandras / Gentoo Linux Developer / Key ID: B4AFF2C2


pgp95FTnuPs1A.pgp
Description: PGP signature


Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Olivier Crête
On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?  generating/posting/enabling a gpg key is
 ridiculously easy and there's really no excuse for a dev to not have
 done this already.

I didn't know we still allowed that.. I guess the CVS server should just
reject unsigned Manifests..


-- 
Olivier Crête
tes...@gentoo.org
Gentoo Developer


signature.asc
Description: This is a digitally signed message part


Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Petteri Räty
On 03/24/2011 11:59 PM, Mike Frysinger wrote:
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?  generating/posting/enabling a gpg key is
 ridiculously easy and there's really no excuse for a dev to not have
 done this already.
 

Also submitting the quizzes require you to have a GPG key. This probably
hasn't been a priority before all the tree can be signed. I think it
would be idea to start preparing for that by requiring people sign as
you said.

Regards,
Petteri



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Mike Gilbert
On Thu, Mar 24, 2011 at 5:59 PM, Mike Frysinger vap...@gentoo.org wrote:
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?  generating/posting/enabling a gpg key is
 ridiculously easy and there's really no excuse for a dev to not have
 done this already.


Is there some plan to make verification of signed Manifests
easy/automatic for end users? Or am I misunderstanding the point of
Manifest signing?



Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Rémi Cardona
Le 24/03/2011 22:59, Mike Frysinger a écrit :
 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?  generating/posting/enabling a gpg key is
 ridiculously easy and there's really no excuse for a dev to not have
 done this already.

I, for one, have never signed my Manifests because I've always found
GnuPG to be a major PITA.

With that being said, I do understand the rationale of signing them and
I'll adapt.

However, is there a howto or something explaining how to work
_efficiently_ with GPG? How do I avoid having to type my pass-phrase for
every commit?

Cheers,

Rémi

PS, wasn't manifest-signing supposed to become moot once we moved to git?



Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Mike Frysinger
On Thu, Mar 24, 2011 at 6:28 PM, Mike Gilbert wrote:
 Is there some plan to make verification of signed Manifests easy/automatic 
 for end users?

the end goal is for it to be transparent when it works.  emerge itself
would check things as part of its digest verification.

as to the current state of emerge's support, i dont know.  be nice if
Zac showed up to SCALE so we could sign keys :p.
-mike



Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Jeroen Roovers
On Thu, 24 Mar 2011 17:59:45 -0400
Mike Frysinger vap...@gentoo.org wrote:

 is there any reason we should allow people to commit unsigned
 Manifest's anymore ?  

Funny that. I only started doing that Yesterday. It had been on my TODO
for a couple of years. :)


 jer



Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Mike Frysinger
On Thu, Mar 24, 2011 at 6:42 PM, Rémi Cardona wrote:
 PS, wasn't manifest-signing supposed to become moot once we moved to git?

not in the least.  git only provides SHA1 which is not
cryptographically strong, and we will still be mirroring only the
latest checkout via rsync.  the hashs in git require the entire tree
in order to validate.
-mike



Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Antoni Grzymala
Jeroen Roovers dixit (2011-03-25, 00:50):

 On Thu, 24 Mar 2011 17:59:45 -0400
 Mike Frysinger vap...@gentoo.org wrote:
 
  is there any reason we should allow people to commit unsigned
  Manifest's anymore ?  
 
 Funny that. I only started doing that Yesterday. It had been on my TODO
 for a couple of years. :)

Does that get us any closer to GLEPs 57, 58, 59 (or generally
approaching the tree-signing/verifying group of problems)?

Regards,

-- 
[a]



Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Mike Frysinger
On Thu, Mar 24, 2011 at 8:09 PM, Antoni Grzymala wrote:
 Jeroen Roovers dixit (2011-03-25, 00:50):
 On Thu, 24 Mar 2011 17:59:45 -0400 Mike Frysinger wrote:
  is there any reason we should allow people to commit unsigned
  Manifest's anymore ?

 Funny that. I only started doing that Yesterday. It had been on my TODO
 for a couple of years. :)

 Does that get us any closer to GLEPs 57, 58, 59 (or generally
 approaching the tree-signing/verifying group of problems)?

yes
-mike



Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Brian Harring
On Thu, Mar 24, 2011 at 06:08:53PM -0400, Olivier Crête wrote:
 On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
  is there any reason we should allow people to commit unsigned
  Manifest's anymore ?  generating/posting/enabling a gpg key is
  ridiculously easy and there's really no excuse for a dev to not have
  done this already.
 
 I didn't know we still allowed that.. I guess the CVS server should just
 reject unsigned Manifests..

Reject, and email an alias of folk who will go fix the manifest.  Keep 
in mind since it's a two stage commit for cvs, the checksums are left 
out of sync if we just flat out reject unsigned manifests and ignore 
the fallout.

~brian


pgppq4AHvuvro.pgp
Description: PGP signature


Re: [gentoo-dev] rejecting unsigned commits

2011-03-24 Thread Mike Frysinger
On Thu, Mar 24, 2011 at 8:21 PM, Brian Harring wrote:
 On Thu, Mar 24, 2011 at 06:08:53PM -0400, Olivier Crête wrote:
 On Thu, 2011-03-24 at 17:59 -0400, Mike Frysinger wrote:
  is there any reason we should allow people to commit unsigned
  Manifest's anymore ?  generating/posting/enabling a gpg key is
  ridiculously easy and there's really no excuse for a dev to not have
  done this already.

 I didn't know we still allowed that.. I guess the CVS server should just
 reject unsigned Manifests..

 Reject, and email an alias of folk who will go fix the manifest.  Keep
 in mind since it's a two stage commit for cvs, the checksums are left
 out of sync if we just flat out reject unsigned manifests and ignore
 the fallout.

the fallout is said dev fixes their setup or they lose commit access

i dont expect the rejection to go into effect $now, so people not
signing have plenty of time to start doing so
-mike