On Fri, 06 Jul 2018 08:18:32 +0200 Michał Górny <mgo...@gentoo.org> wrote:
> W dniu pią, 06.07.2018 o godzinie 06∶08 +0000, użytkownik Robin H. > Johnson napisał: > > On Fri, Jul 06, 2018 at 07:43:56AM +0200, Ulrich Mueller wrote: > > > > > > > > On Thu, 5 Jul 2018, Michał Górny wrote: > > > > Replace the disjoint 'minimum' and 'recommendation' for > > > > expiration with a single requirement. Make it 2 years. Also, > > > > remove disjoint expiration recommendation for the primary key > > > > and subkeys since many developers fail at implementing that > > > > anyway. > > > > > > Still NACK. If expiration is exactly 2 years and renewal must > > > happen 2 weeks before the expiry date, then it is not possible to > > > keep the same date. > > > > > > Example: The key will expire at 2018-12-31, so it must be renewed > > > at 2018-12-17 or earlier. This will make it impossible to keep > > > the same month and day (unless one would reset it to 2019-12-31, > > > which is only one year though). > > > > > > So please, make it something like 2 years + 3 months. > > > > option a) > > 2 years + N: > > 2 weeks <= N <= 3 months. > > > > option b) > > Change the wording to be 'at most 2 years' instead of 'exactly 2 > > years'. > > That *is* the wording. > > > Separately: > > Is two weeks enough time for a new key distribution to users? > > I originally wanted to specify one month but k_f insisted on something > shorter. 2 weeks were the compromise we agreed on. That said, I'd > say weekly 'gpg --refresh' is what we should recommend as the bare > minimum. > > That said, the point of two weeks is mostly to give us time to remind > developers that their key is expiring and to give them time to > actually read their mail and do it before it actually expires. > I have gkeys spec-check start warning at 30 days, and it has been my experience that often it only gets renewed last minute (depends on how active the developer is. As it is one of those things that gets put off thinking there is still lots of time... But also, many of those had keys that did not meet the spec requirements. -- Brian Dolbec <dolsen>
pgphYyrmtOdFC.pgp
Description: OpenPGP digital signature
