[gentoo-portage-dev] [PATCH] GitSync: abort checkout for signature problem (bug 660372)

2018-07-05 Thread Zac Medico
Fetch the upstream remote and use git merge to update the checkout only after successful verification of the upstream head. Suggested-by: Richard Freeman Bug: https://bugs.gentoo.org/660372 --- pym/portage/sync/modules/git/git.py | 34 +- 1 file changed, 29

Re: [gentoo-dev] rfc: killing mediawiki

2018-07-05 Thread Nils Freydank
Am Dienstag, 3. Juli 2018, 19:39:43 CEST schrieb William Hubbs: > All, > > some of us have talked about this on IRC off and on, but I want to bring > it up here as well. > > I don't care that we have a wiki, but can we please look into killing > mediawiki and look at something with a git

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-05 Thread Matthias Maier
On Thu, Jul 5, 2018, at 08:36 CDT, Michał Górny wrote: > That said, I'm open to using a different recommendation, e.g. 2 years > as in riseup [1]. I suppose having the same time for both primary key > and subkeys would make the spec simpler, and many developers are > mistaking expiration

Re: [gentoo-dev] [PATCH v2 00/11] Major GLEP 63 update; full text

2018-07-05 Thread Michał Górny
W dniu śro, 04.07.2018 o godzinie 23∶43 +0200, użytkownik Kristian Fiskerstrand napisał: > On 07/04/2018 11:28 PM, Michał Górny wrote: > > W dniu śro, 04.07.2018 o godzinie 23∶12 +0200, użytkownik Ulrich Mueller > > napisał: > > > > > > > > On Wed, 04 Jul 2018, Michał Górny wrote: > > > > > > > >

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-05 Thread Michał Górny
W dniu śro, 04.07.2018 o godzinie 18∶48 -0400, użytkownik Joshua Kinard napisał: > On 7/4/2018 5:24 PM, Michał Górny wrote: > > W dniu śro, 04.07.2018 o godzinie 23∶05 +0200, użytkownik Ulrich Mueller > > napisał: > > > > > > > > On Wed, 4 Jul 2018, Michał Górny wrote: > > > > > > > > -3. Key

[gentoo-dev] Re: rfc: why are we still distributing the portage tree via rsync?

2018-07-05 Thread Martin Vaeth
Matt Turner wrote: > The ebuild tree is 600MB with rsync and cannot fit on the partition > with git. > > I'd be happy to switch if the space requirements were similar. If one git repacks every few syncs one needs currently about 800 MB. With additionally squashfs (zstd) (+ overlayfs) the full

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-05 Thread Marc Schiffbauer
* Matthias Maier schrieb am 05.07.18 um 15:51 Uhr: > > On Thu, Jul 5, 2018, at 08:36 CDT, Michał Górny wrote: > > > That said, I'm open to using a different recommendation, e.g. 2 years > > as in riseup [1]. I suppose having the same time for both primary key > > and subkeys would make the

Re: [gentoo-dev] rfc: killing mediawiki

2018-07-05 Thread William Hubbs
On Thu, Jul 05, 2018 at 11:08:10AM +0200, Nils Freydank wrote: > Am Dienstag, 3. Juli 2018, 19:39:43 CEST schrieb William Hubbs: > > All, > > > > some of us have talked about this on IRC off and on, but I want to bring > > it up here as well. > > > > I don't care that we have a wiki, but can we

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-05 Thread William Hubbs
On Thu, Jul 05, 2018 at 03:36:09PM +0200, Michał Górny wrote: > W dniu śro, 04.07.2018 o godzinie 18∶48 -0400, użytkownik Joshua Kinard > napisał: > > On 7/4/2018 5:24 PM, Michał Górny wrote: > > > W dniu śro, 04.07.2018 o godzinie 23∶05 +0200, użytkownik Ulrich Mueller > > > napisał: > > > > > >

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-05 Thread Michał Górny
W dniu czw, 05.07.2018 o godzinie 17∶37 +0200, użytkownik Marc Schiffbauer napisał: > * Matthias Maier schrieb am 05.07.18 um 15:51 Uhr: > > > > On Thu, Jul 5, 2018, at 08:36 CDT, Michał Górny wrote: > > > > > That said, I'm open to using a different recommendation, e.g. 2 years > > > as in

[gentoo-portage-dev] [PATCH] rsync: quarantine data prior to verification (bug 660410)

2018-07-05 Thread Zac Medico
Sync into a quarantine subdirectory, using the rsync --link-dest option to create hardlinks to identical files in the previous snapshot of the repository. If hardlinks are not supported, then show a warning message and sync directly to the normal repository location. If verification succeeds,

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-05 Thread Matthias Maier
On Thu, Jul 5, 2018, at 08:36 CDT, Michał Górny wrote: > I don't really know the original rationale for this. > > The NIST standard says 1-3 years. If I were to guess, I'd say 1 year > was chosen for subkey because subkey expiring is a 'smaller' issue than > the whole key expiring, i.e. other

Re: [gentoo-dev] rfc: killing mediawiki

2018-07-05 Thread William Hubbs
On Thu, Jul 05, 2018 at 01:26:51PM +1200, Kent Fredric wrote: > On Wed, 4 Jul 2018 12:44:11 -0500 > William Hubbs wrote: > > > Yes I would benefit from this change, but it is not a case of optimizing > > for one. It is a case of opening up the use of the wiki to the largest > > audiance

Re: [gentoo-dev] [PATCH v2 09/11] glep-0063: Make recommended expiration terms mandatory

2018-07-05 Thread Michał Górny
W dniu czw, 05.07.2018 o godzinie 13∶24 -0500, użytkownik William Hubbs napisał: > On Thu, Jul 05, 2018 at 03:36:09PM +0200, Michał Górny wrote: > > W dniu śro, 04.07.2018 o godzinie 18∶48 -0400, użytkownik Joshua Kinard > > napisał: > > > On 7/4/2018 5:24 PM, Michał Górny wrote: > > > > W dniu

[gentoo-dev] [PATCH v3 04/12] glep-0063: Root key → primary key

2018-07-05 Thread Michał Górny
Replace the custom term 'root key' with much more common 'primary key'. This is also the term used in GnuPG output. --- glep-0063.rst | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index a56ae65..318717a 100644 --- a/glep-0063.rst +++

[gentoo-dev] [PATCH v3 06/12] glep-0063: Explain minimal & recommended sections

2018-07-05 Thread Michał Górny
--- glep-0063.rst | 8 1 file changed, 8 insertions(+) diff --git a/glep-0063.rst b/glep-0063.rst index 2d30f68..b995d8e 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -40,6 +40,10 @@ Specifications for OpenPGP keys Bare minimum requirements - +This

[gentoo-dev] [PATCH v3 05/12] glep-0063: Split out the signing subkey into a separation point

2018-07-05 Thread Michał Górny
Reword the specification to express the requirement for separate signing subkey more verbosely. Replace the ambiguous term 'dedicated' with clear explanation that it needs to be different from the primary key and not used for other purposes. Suggested-by: Kristian Fiskerstrand ---

[gentoo-dev] [PATCH v3 03/12] glep-0063: 'Gentoo subkey' → 'Signing subkey'

2018-07-05 Thread Michał Górny
Replace the 'Gentoo subkey' term that might wrongly suggest that the developers are expected to create an additional, dedicated subkey for Gentoo. Suggested-by: Kristian Fiskerstrand --- glep-0063.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/glep-0063.rst

Re: [gentoo-dev] [PATCH v3 08/12] glep-0063: Allow ECC curve 25519 keys

2018-07-05 Thread Jonas Stein
> b. RSA, >=2048 bits (OpenPGP v4 key format or later only) > > + c. ECC curve 25519 > + > 4. Key expiry: 5 years maximum > 5. Upload your key to the SKS keyserver rotation before usage! I think we should ensure first that everything works fine with ECC. Last time I checked, ECC was a

[gentoo-dev] [PATCH v3 11/12] glep-0063: Require renewal 2 weeks before expiration

2018-07-05 Thread Michał Górny
Add a rule requesting renewal of keys at least two weeks before their expiration date, in order to give services time to refresh. --- glep-0063.rst | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/glep-0063.rst b/glep-0063.rst index 0fdf5ed..d41a2a0 100644 ---

[gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-05 Thread Michał Górny
Replace the disjoint 'minimum' and 'recommendation' for expiration with a single requirement. Make it 2 years. Also, remove disjoint expiration recommendation for the primary key and subkeys since many developers fail at implementing that anyway. --- glep-0063.rst | 15 --- 1 file

[gentoo-dev] [PATCH v3 12/12] glep-0063: Disallow using DSA keys

2018-07-05 Thread Michał Górny
There really is no technical reason to use DSA keys and people who are still using old DSA keys should finally replace them, so remove them from the minimal requirements. --- glep-0063.rst | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst

[gentoo-dev] [PATCH v3 00/12] GLEP 63 update

2018-07-05 Thread Michał Górny
Hi, Here's third version of the patches. I've incorporated the feedback so far and reordered the patches (again) to restore their degree-of-compatibility order. The full text is included below. Michał Górny (12): glep-0063: Use 'OpenPGP' as appropriate glep-0063: RSAv4 -> OpenPGP v4 key

[gentoo-dev] [PATCH v3 02/12] glep-0063: RSAv4 -> OpenPGP v4 key format

2018-07-05 Thread Michał Górny
Replace the 'RSAv4' with 'OpenPGP v4 key format'. The RSA algorithm does not really have versions, and the author most likely meant the v4 of OpenPGP key format as outlined in RFC 4880, section 12.1. This was figured out and explained to me by Kristian Fiskerstrand. --- glep-0063.rst | 4 ++--

[gentoo-dev] [PATCH v3 01/12] glep-0063: Use 'OpenPGP' as appropriate

2018-07-05 Thread Michał Górny
Replace many of the incorrect uses of GPG/GnuPG [key] with OpenPGP. G[nu]PG has been left where the text clearly refers to the specific implementation of OpenPGP rather than the standard itself. --- glep-0063.rst | 22 +++--- 1 file changed, 11 insertions(+), 11 deletions(-) diff

[gentoo-dev] [PATCH v3 07/12] glep-0063: Change the recommended RSA key size to 2048 bits

2018-07-05 Thread Michał Górny
Change the recommended key size recommendation for RSA from 4096 bits to 2048 bits. Use of larger keys is unjustified due to negligible gain in security, and recommending RSA-4096 unnecessarily resulted in developers replacing their RSA-2048 keys for no good reason. --- glep-0063.rst | 20

[gentoo-dev] [PATCH v3 08/12] glep-0063: Allow ECC curve 25519 keys

2018-07-05 Thread Michał Górny
Optionally allow using ECC curve 25519 keys. We already have developers using those keys, and given that they are supported by GnuPG 2.2, there's probably no reason to ban them. However, they're not recommended due to interoperability issues. --- glep-0063.rst | 4 1 file changed, 4

[gentoo-dev] [PATCH v3 09/12] glep-0063: Stop recommending DSA subkeys

2018-07-05 Thread Michał Górny
There is really no technical reason to use DSA these days, and we should focus on having a single recommendation. DSA keys are still permitted via 'minimal' requirements. --- glep-0063.rst | 18 -- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/glep-0063.rst

Re: [gentoo-dev] Re: rfc: why are we still distributing the portage tree via rsync?

2018-07-05 Thread Gerion Entrup
Am Donnerstag, 5. Juli 2018, 14:03:36 CEST schrieb Martin Vaeth: > Matt Turner wrote: > > The ebuild tree is 600MB with rsync and cannot fit on the partition > > with git. > > > > I'd be happy to switch if the space requirements were similar. > > If one git repacks every few syncs one needs

Re: [gentoo-dev] Re: rfc: why are we still distributing the portage tree via rsync?

2018-07-05 Thread Kent Fredric
On Fri, 06 Jul 2018 01:55:32 +0200 Gerion Entrup wrote: > Would it possible to take the bare repo (< 600 MB) and only mount the latest > checkout (with fuse eg)? That would incur performance problems, because packed objects are stored as differences to other objects ( similar to how later

Re: [gentoo-dev] rfc: killing mediawiki

2018-07-05 Thread Kent Fredric
On Thu, 5 Jul 2018 12:44:42 -0500 William Hubbs wrote: > Have you even looked at gollum for example? it can support mw markdown. I've looked at it, but none of my reading of online material indicates whether it supports more than the existing media-wiki *syntax*. For instance, Gollum states

Re: [gentoo-dev] rfc: killing mediawiki

2018-07-05 Thread Kent Fredric
On Thu, 5 Jul 2018 12:32:20 -0500 William Hubbs wrote: > I looked at this first, and it is very hard on the server. > Every pull or clone you do to update things works like an initial clone, > so it takes pretty massive resources. Surely, then the recommended approach involves: 1. Selecting

Re: [gentoo-dev] [PATCH v3 10/12] glep-0063: Make 2-yearly expiration term mandatory

2018-07-05 Thread Ulrich Mueller
> On Thu, 5 Jul 2018, Michał Górny wrote: > Replace the disjoint 'minimum' and 'recommendation' for expiration > with a single requirement. Make it 2 years. Also, remove disjoint > expiration recommendation for the primary key and subkeys since many > developers fail at implementing that

Re: [gentoo-dev] [PATCH v3 08/12] glep-0063: Allow ECC curve 25519 keys

2018-07-05 Thread Ulrich Mueller
> On Thu, 5 Jul 2018, Jonas Stein wrote: >> b. RSA, >=2048 bits (OpenPGP v4 key format or later only) >> >> + c. ECC curve 25519 >> + >> 4. Key expiry: 5 years maximum >> 5. Upload your key to the SKS keyserver rotation before usage! > I think we should ensure first that everything works