Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Hi, Brian Nelson: Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. I haven't been asked. I've received a few reminders that I need a new key with signatures, but I haven't been asked why I haven't submitted a new key yet. The English language overlays ask in a way ('ask to …' vs. 'ask why/how …') which seems to confirm your quote that -- Captain Logic is not steering this tugboat. -- -- Matthias Urlichs -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141113082254.ga23...@smurf.noris.de
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Tue, Nov 11, 2014 at 02:35:55PM -0600, Gunnar Wolf wrote: Henrique de Moraes Holschuh dijo [Sat, Nov 08, 2014 at 07:11:14PM -0200]: On Sat, 08 Nov 2014, Richard Hartmann wrote: Interpretation is in the eye of the bee holder, but I am considering to attach this list to my weekly bug report; mainly because I can. Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. AIUI, you need to have at least one(?) additional signature on your new 2048+ RSA key on top of your old DSA key, correct? If so, did you consider relaxing this requirement for the rollover? I.e. maybe having 2048 RSA keys signed by (only) old 1024 DSA keys in the keyring is better than having no key at all for a particular DD? Michael -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141113173328.gm4...@raptor.chemicalconnection.dyndns.org
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Thu, Nov 13, 2014 at 06:33:28PM +0100, Michael Banck wrote: AIUI, you need to have at least one(?) additional signature on your new 2048+ RSA key on top of your old DSA key, correct? I meant on top of the signature from your old DSA key. Michael -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141113173447.gn4...@raptor.chemicalconnection.dyndns.org
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Gunnar Wolf gw...@gwolf.org writes: Brian Nelson dijo [Wed, Nov 12, 2014 at 05:09:02PM -0500]: Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. I haven't been asked. I've received a few reminders that I need a new key with signatures, but I haven't been asked why I haven't submitted a new key yet. Right. Precise definitions. You are right — Although we have been slowly but steadily insisting (at least since 2010, when we announced at DebConf10 we had removed the last 17 remaining PGPv3 keys) that 1024D keys were no longer considered long-term trusty and urged everybody to start updating to a =2K key. But, as you are asking, you got me curious :) Why haven't you started migrating to a new key? Well I have a new key but it doesn't have any signatures on it other than my own, and I haven't encountered another developer in years to have it signed. I've been listed on https://wiki.debian.org/Keysigning/Offers for years (two locations in two different U.S. states, even) but have never been contacted for a keysigning. I'm not overly far from other developers--Boston is about a 2 hour drive away--but with general busyness from having a family, I haven't found a chance to try to meet people in Boston. The boston-debian-soc mailing list being down for years doesn't help, either. It's not a very interesting story. It's more about being inconvenient than insurmountable. I've just been hoping some opportunity would present itself for an easy keysigning, but that hasn't happen yet. -- Captain Logic is not steering this tugboat. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/874mu2uchs@bignachos.net
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Brian Nelson dijo [Thu, Nov 13, 2014 at 02:27:59PM -0500]: Well I have a new key but it doesn't have any signatures on it other than my own, and I haven't encountered another developer in years to have it signed. I've been listed on https://wiki.debian.org/Keysigning/Offers for years (two locations in two different U.S. states, even) but have never been contacted for a keysigning. I'm not overly far from other developers--Boston is about a 2 hour drive away--but with general busyness from having a family, I haven't found a chance to try to meet people in Boston. The boston-debian-soc mailing list being down for years doesn't help, either. It's not a very interesting story. It's more about being inconvenient than insurmountable. I've just been hoping some opportunity would present itself for an easy keysigning, but that hasn't happen yet. Right :) I didn't want to out you as a guy who has a minor problem getting his key signed. But you asked us to ask you why. And it boils down to being motivated to do it. I hope this thread motivates you. In the worst case, I hope most people whose keys are retired from the active keyring next January will be motivated by the need (or desire?) to do Debian work without requiring a sponsor. But each person has their own story. If you didn't explain your situation earlier on as a hard case (and we do have some), it's not up to us to get into personal details. Only to let you know that actions will be taken! -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141113211533.ga91...@gwolf.org
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Gunnar Wolf gw...@gwolf.org writes: Brian Nelson dijo [Thu, Nov 13, 2014 at 02:27:59PM -0500]: Well I have a new key but it doesn't have any signatures on it other than my own, and I haven't encountered another developer in years to have it signed. I've been listed on https://wiki.debian.org/Keysigning/Offers for years (two locations in two different U.S. states, even) but have never been contacted for a keysigning. I'm not overly far from other developers--Boston is about a 2 hour drive away--but with general busyness from having a family, I haven't found a chance to try to meet people in Boston. The boston-debian-soc mailing list being down for years doesn't help, either. It's not a very interesting story. It's more about being inconvenient than insurmountable. I've just been hoping some opportunity would present itself for an easy keysigning, but that hasn't happen yet. Right :) I didn't want to out you as a guy who has a minor problem getting his key signed. But you asked us to ask you why. And it boils down to being motivated to do it. I hope this thread motivates you. In the worst case, I hope most people whose keys are retired from the active keyring next January will be motivated by the need (or desire?) to do Debian work without requiring a sponsor. But each person has their own story. I'd like to retain an active key in Debian. However, I already have a well-connected key from when I was younger and my time was freely available and travel was easy. Those are no longer true, but I'm supposed to start over from scratch anyway and spend a better part of a day traveling to Boston to meet developers I've most likely never interacted with before. I'll show them some identification to prove I'm a Brian Michael Nelson which, since the other Brian Michael Nelson in the project retired, means I'm probably the one still active. I'll be able to submit a stronger key, but what exactly has been gained? It feels like a waste of time and effort, so that's where my motivation is lacking. I've met and exchanged key signings with a good portion of the active developers (including you) with my old key, and it just seems like it would be a whole lot more meaningful and a more productive use of time to make use of that instead of yet another silly government ID exchange dance. -- Captain Logic is not steering this tugboat. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87ppcqsovq@bignachos.net
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Hi Brian, On 13.11.2014 23:43, Brian Nelson wrote: I'll show them some identification to prove I'm a Brian Michael Nelson which, since the other Brian Michael Nelson in the project retired, means I'm probably the one still active. I'll be able to submit a stronger key, but what exactly has been gained? for starters: A key that can't be forged with a reasonable number of CPU cycles. This is not about not trusting you, but about others that may use a weak key like your current one as attack vector to do harm to Debian. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Gunnar Wolf gw...@gwolf.org writes: Henrique de Moraes Holschuh dijo [Sat, Nov 08, 2014 at 07:11:14PM -0200]: On Sat, 08 Nov 2014, Richard Hartmann wrote: Interpretation is in the eye of the bee holder, but I am considering to attach this list to my weekly bug report; mainly because I can. Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. I haven't been asked. I've received a few reminders that I need a new key with signatures, but I haven't been asked why I haven't submitted a new key yet. -- Captain Logic is not steering this tugboat. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87fvdot6kh@bignachos.net
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Brian Nelson dijo [Wed, Nov 12, 2014 at 05:09:02PM -0500]: Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. I haven't been asked. I've received a few reminders that I need a new key with signatures, but I haven't been asked why I haven't submitted a new key yet. Right. Precise definitions. You are right — Although we have been slowly but steadily insisting (at least since 2010, when we announced at DebConf10 we had removed the last 17 remaining PGPv3 keys) that 1024D keys were no longer considered long-term trusty and urged everybody to start updating to a =2K key. But, as you are asking, you got me curious :) Why haven't you started migrating to a new key? Greetings, -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141113052056.gc87...@gwolf.org
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
Henrique de Moraes Holschuh dijo [Sat, Nov 08, 2014 at 07:11:14PM -0200]: On Sat, 08 Nov 2014, Richard Hartmann wrote: Interpretation is in the eye of the bee holder, but I am considering to attach this list to my weekly bug report; mainly because I can. Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2014203555.ga78...@gwolf.org
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Tue, 11 Nov 2014, Gunnar Wolf wrote: Henrique de Moraes Holschuh dijo [Sat, Nov 08, 2014 at 07:11:14PM -0200]: On Sat, 08 Nov 2014, Richard Hartmann wrote: Interpretation is in the eye of the bee holder, but I am considering to attach this list to my weekly bug report; mainly because I can. Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? They have been asked. Repeatedly. Oh well... no reply and no new key makes for a sad day ;-) -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2014210314.ga13...@khazad-dum.debian.net
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Sat, Nov 08, 2014 at 10:19:02PM +0100, Richard Hartmann wrote: That seems to have happened in similar form a few times already; given the context, it's reasonable to expect them to poke -project, -private, or just anyone on their own. I know at least one of the people listed who is already taking action, currently managed to get one DD signature (me) and several other paths to the strongly connected set, and will probably wait until closer to the deadline to do the key update, hoping for opportunities for more DD sigs. Therefore I would not claim that all of the people listed there are sitting there doing nothing. I like that Jonathan's mail was worded as an invitation to offer help. Enrico -- GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini enr...@enricozini.org signature.asc Description: Digital signature
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Sat, Nov 08, 2014 at 08:25:58PM +0100, Marco d'Itri wrote: On Nov 08, Jonathan McDowell nood...@earth.li wrote: Back in August I sent notification[0] about the fact that we will be removing all keys less than 2048 from our keyrings at the end of the year (31st December 2014). Sadly the response to this has been slower than expected, and we still have about 439 keys that require replacement. So the plan is that the beatings will continue until morale improves? I am sorry you and those developers who have emailed me privately to complain feel like I am engaging in some form of punishment or naming and shaming. I deliberately did not include the list of affected contributors in my August mail, despite being asked to be several people. At this point I'm now trying to make sure that absolutely no one can claim that they were not warned about the forthcoming key removals; I have also been criticised for having too soft an approach up to this point, such that several people have felt that the first warning they had that the project was phasing out shorter key lengths was the August mail. To reinforce Enrico's mail I'm well aware that there are people on the list who are valiantly trying to get the signatures they need on new keys, and have had legitimate issues with getting them. I ask the project to help them where possible. J. -- 101 things you can't have too much of : 19 - A Good Thing. signature.asc Description: Digital signature
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
nood...@earth.li wrote: I am sorry you and those developers who have emailed me privately to complain feel like I am engaging in some form of punishment or naming and shaming. No, I do not think that there is anything wrong with publishing their names. What I feel is that this new policy of removing the shorter keys in such a timeframe, other than not being justified by the actual security risks, is failing to achieve the results desidered (still many people have not replaced their key) but no actions are being taken to correct it. -- ciao, Marco -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/m3ofqr$uj8$1...@posted-at.bofh.it
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Nov 08, Jonathan McDowell nood...@earth.li wrote: Back in August I sent notification[0] about the fact that we will be removing all keys less than 2048 from our keyrings at the end of the year (31st December 2014). Sadly the response to this has been slower than expected, and we still have about 439 keys that require replacement. So the plan is that the beatings will continue until morale improves? -- ciao, Marco signature.asc Description: Digital signature
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Sat, Nov 8, 2014 at 8:25 PM, Marco d'Itri m...@linux.it wrote: So the plan is that the beatings will continue until morale improves? Interpretation is in the eye of the bee holder, but I am considering to attach this list to my weekly bug report; mainly because I can. Richard PS: If not for the deadline in less than two months, quarantining the keys which have not been used for two years or more would be prudent today. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cad77+gslp27kgbk6pkamce0xzzb8wwv59pjwrxuffwb3xax...@mail.gmail.com
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Sat, 08 Nov 2014, Richard Hartmann wrote: Interpretation is in the eye of the bee holder, but I am considering to attach this list to my weekly bug report; mainly because I can. Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? PS: If not for the deadline in less than two months, quarantining the keys which have not been used for two years or more would be prudent today. Yes. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2014110824.gb32...@khazad-dum.debian.net
Re: Reminder: Removing 2048 bit keys from the Debian keyrings
On Sat, Nov 8, 2014 at 10:11 PM, Henrique de Moraes Holschuh h...@debian.org wrote: Wouldn't it make more sense to ask these people privately what is getting in the way of a switch to a stronger key? That seems to have happened in similar form a few times already; given the context, it's reasonable to expect them to poke -project, -private, or just anyone on their own. Richard -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAD77+gQKKRujTin0shy5JMzKk+EF8=b4d5ctii3lgukcsvy...@mail.gmail.com