Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 13-02-2013 02:15:48 +0100, Jeroen Roovers wrote: On Tue, 12 Feb 2013 17:07:33 -0800 Alec Warner anta...@gentoo.org wrote: On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers j...@gentoo.org wrote: On Wed, 13 Feb 2013 01:47:34 +0100 Jeroen Roovers j...@gentoo.org wrote: It would help if repoman noticed when you have FEATURES=-sign. :-\ https://bugs.gentoo.org/show_bug.cgi?id=457034 We can do the opposite, and just complain if we see unsigned manifests fly by. The background here is that I set up a new system and forgot to set FEATURES=sign before I went on to do commits from that system. It's not like I set FEATURES=-sign on purpose. :) I wouldn't mind a mild warning from repoman if you're on the gentoo-x86 tree and try to commit without FEATURES=sign. So, +1 -- Fabian Groffen Gentoo on a different level signature.asc Description: Digital signature
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 13 February 2013 15:07, Michael Weber x...@gentoo.org wrote: On 02/13/2013 12:28 AM, Robin H. Johnson wrote: On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote: On 02/12/2013 10:14 PM, William Hubbs wrote: If you have any questions on this, please feel free to let us know. What is the rotation strategy for (near) outdated keys? Alter the key or create a new one? Sign the new with the old one? If your keysize is still good, you should ideally update the expiry on the key and re-upload it to keyservers. Can you commit this to the document, please? IMHO the answer to these questions is not obvious nor given by (our) docu [1]. I'm pretty sure it was in the devrel developer handbook at one point, along with instructions to create your key, but I can't find it now. Maybe, add keep ldap id/fingerprint synchronized there, too. http://www.gentoo.org/proj/en/infrastructure/ldap.xml#doc_chap3 That does tell how to update the data, but does not suggest to do so. My main concern is the cross-referencing of our documentation. I'm aware that there is a ton of documentation splattered all over the place and outside our infra. But besides the non-trivial step to become a dev (as mentioned last week) there is a certain non-trivial step to keep one, esp. by gathering the non-routine informations and fast-forward developments. All pertinent information should be in the devmanual. If it's not, then this omission should be fixed as soon as possible. There is no reason to keep this scattered over multiple locations. -- Cheers, Ben | yngwin Gentoo developer Gentoo Qt project lead, Gentoo Wiki admin
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 12 February 2013 23:28, Robin H. Johnson robb...@gentoo.org wrote: IMHO the answer to these questions is not obvious nor given by (our) docu [1]. I'm pretty sure it was in the devrel developer handbook at one point, along with instructions to create your key, but I can't find it now. This one? http://www.gentoo.org/doc/en/gnupg-user.xml -- Regards, Markos Chandras - Gentoo Linux Developer http://dev.gentoo.org/~hwoarang
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 02/13/2013 11:55 AM, Markos Chandras wrote: http://www.gentoo.org/doc/en/gnupg-user.xml still no hint what to do on expiration (as every single other gpg howto). -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber x...@gentoo.org
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Wed, Feb 13, 2013 at 01:20:39PM +0100, Michael Weber wrote: On 02/13/2013 11:55 AM, Markos Chandras wrote: http://www.gentoo.org/doc/en/gnupg-user.xml still no hint what to do on expiration (as every single other gpg howto). It depends. What do you want to do when it expires? If you don't believe that the key has been compromised -- nobody is going around using your key falsely -- then you should just renew your key, i.e change the expiry date. Some that are a bit more paranoid will generate a new key, sign it with the about-to-expire key -- not the already expired key because they would never allow that to happen -- revoke the about-to-expire key, then sync with the key server(s). This information, by the way, has been blogged about thousands of times. -- Mr. Aaron W. Swenson Gentoo Linux Developer Email : titanof...@gentoo.org GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 GnuPG ID : D1BBFDA0 signature.asc Description: Digital signature
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 13 February 2013 15:31, Aaron W. Swenson titanof...@gentoo.org wrote: On Wed, Feb 13, 2013 at 01:20:39PM +0100, Michael Weber wrote: On 02/13/2013 11:55 AM, Markos Chandras wrote: http://www.gentoo.org/doc/en/gnupg-user.xml still no hint what to do on expiration (as every single other gpg howto). It depends. What do you want to do when it expires? If you don't believe that the key has been compromised -- nobody is going around using your key falsely -- then you should just renew your key, i.e change the expiry date. Some that are a bit more paranoid will generate a new key, sign it with the about-to-expire key -- not the already expired key because they would never allow that to happen -- revoke the about-to-expire key, then sync with the key server(s). This information, by the way, has been blogged about thousands of times. -- Mr. Aaron W. Swenson Gentoo Linux Developer Email : titanof...@gentoo.org GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 GnuPG ID : D1BBFDA0 Correct. I don't think we need a Gentoo-specific document for that. -- Regards, Markos Chandras - Gentoo Linux Developer http://dev.gentoo.org/~hwoarang
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
Michael Weber schrieb: On 02/12/2013 10:14 PM, William Hubbs wrote: as preparation for the up-coming cvs-git migration of the portage tree, the council is strongly suggesting that from this point forward all developers sign their manifests with their gpg key as described in the developer's manual [1]. ++ We should all put these data into LDAP, too. on dev.gentoo.org .. perl_ldap -b user -M gpgkey gpg-id user perl_ldap -b user -M gpgfingerprint gpg-fingerprint user I suggest, you check your ldap details, since those details are already added for every new dev by his recruiter, so you only have to update those entries yourself, when your key changes. ;-) -- Thomas Sachau Gentoo Linux Developer signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Wed, Feb 13, 2013 at 8:31 AM, Aaron W. Swenson titanof...@gentoo.org wrote: This information, by the way, has been blogged about thousands of times. There is a reason people write documentation. Contrary to blog posts, documentation is thought out, reviewed, maintained and corrected when necessary. Blogs are written out of our collective ass in order to generate page hits or satisfy our ego, and forgotten right away. Ain't this handy. If you want people to handle security properly you have to tell them how to. In details. If not everybody will figure it out in his or her own way, all of them wrong. Get off your high horse and write documentation if you know how things work. That's more productive than this blabbering. Denis.
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Wed, Feb 13, 2013 at 09:35:56AM -0700, Denis Dupeyron wrote: If you want people to handle security properly you have to tell them how to. In details. If not everybody will figure it out in his or her own way, all of them wrong. Get off your high horse and write documentation if you know how things work. Amen. I know it's not sexy but please document / help with documentation if you can. -- Eray Aslan e...@gentoo.org
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Wed, Feb 13, 2013 at 09:35:56AM -0700, Denis Dupeyron wrote: On Wed, Feb 13, 2013 at 8:31 AM, Aaron W. Swenson titanof...@gentoo.org wrote: This information, by the way, has been blogged about thousands of times. There is a reason people write documentation. Contrary to blog posts, documentation is thought out, reviewed, maintained and corrected when necessary. I agree. This is officially documented by GnuPG. [1] That would be the best source to use. It details everything one needs to do to manage a key pair. PGP keys are daunting, but once one uses them for a while it becomes a bit easier to grok. There's nothing Gentoo specific about it. I don't see why we would need to officially document an official document. The most we should do is point people to the resource. [1] http://www.gnupg.org/gph/en/manual.html#AEN329 -- Mr. Aaron W. Swenson Gentoo Linux Developer Email : titanof...@gentoo.org GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 GnuPG ID : D1BBFDA0 signature.asc Description: Digital signature
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 2/13/13 12:28 AM, Robin H. Johnson wrote: On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote: What is the rotation strategy for (near) outdated keys? Alter the key or create a new one? Sign the new with the old one? If your keysize is still good, you should ideally update the expiry on the key and re-upload it to keyservers. What is considered a good key size these days? Sorry I'm asking a question that has been blogged about thousands of times, but I trust a Gentoo dev more about this than a random blogger who insists everyone should use 8192 bit keys. ;) Paweł signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 13/02/2013 18:46, Paweł Hajdan, Jr. wrote: What is considered a good key size these days? As far as I can tell, 2048 rsa should be still fine. Just drop DSA and anything 1024 I would suggest. -- Diego Elio Pettenò — Flameeyes flamee...@flameeyes.eu — http://blog.flameeyes.eu/
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Wed, Feb 13, 2013 at 05:22:14PM +, Aaron W. Swenson wrote: I agree. This is officially documented by GnuPG. [1] That would be the best source to use. It details everything one needs to do to manage a key pair. Good luck having people find and read it. Similar to (or perhaps linking to) something along the lines of http://keyring.debian.org/creating-key.html might be appropriate (by adding an expiry date section perhaps). This is not about expiry dates or even gnupg in particular. Our documentation is not up to par anymore. We need to spend more effort in documentation in general. Please do so if you can. -- Eray Aslan e...@gentoo.org
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Wed, Feb 13, 2013 at 07:58:30PM +0200, Eray Aslan wrote: On Wed, Feb 13, 2013 at 05:22:14PM +, Aaron W. Swenson wrote: I agree. This is officially documented by GnuPG. [1] That would be the best source to use. It details everything one needs to do to manage a key pair. Good luck having people find and read it. Similar to (or perhaps linking to) something along the lines of http://keyring.debian.org/creating-key.html might be appropriate (by adding an expiry date section perhaps). This is not about expiry dates or even gnupg in particular. Our documentation is not up to par anymore. We need to spend more effort in documentation in general. Please do so if you can. I do agree that we need to state some minimum requirements that aren't so antiquated. And, we need to make it a bit more conspicuous. -- Mr. Aaron W. Swenson Gentoo Linux Developer Email : titanof...@gentoo.org GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 GnuPG ID : D1BBFDA0 signature.asc Description: Digital signature
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/13/2013 06:22 PM, Aaron W. Swenson wrote: There's nothing Gentoo specific about it. I don't see why we would need to officially document an official document. The most we should do is point people to the resource. So, please link to this page and drop out fractional/incomplete version. [1] http://www.gnupg.org/gph/en/manual.html#AEN329 - -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber x...@gentoo.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlEb62sACgkQknrdDGLu8JAZeQD+M8+z4/LicZnWLOf+mwXcqFEM qwuAFjeV5XN+KoDehn8A/1IE9ane4mN5dTFSPRgArTghBUgJ1hXhfIcDdCcukB0N =24Uj -END PGP SIGNATURE-
[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Tuesday 12 February 2013 15:14:15 William Hubbs wrote: All, as preparation for the up-coming cvs-git migration of the portage tree, the council is strongly suggesting that from this point forward all developers sign their manifests with their gpg key as described in the developer's manual [1]. If you have any questions on this, please feel free to let us know. As most of us do, I do the commit from another machine, not mine. So, for ssh I'm using ssh -A to forward the key and I'm interested to find a way to do it for the gpg key. I found an how-to that uses socat ( http://superuser.com/questions/161973/how- can-i-forward-a-gpg-key-via-ssh-agent ) but does not work as expected. This is an example: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo- x86/app-portage/splat/Manifest?revision=1.45view=markup The manifest apparently is signed, but there is no really gpg sign. If someone know how to do it, please let me know. -- Agostino Sarubbo / ago -at- gentoo.org Gentoo Linux Developer
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
Agostino Sarubbo wrote: I'm using ssh -A to forward the key and I'm interested to find a way to do it for the gpg key. I found an how-to that uses socat ( http://superuser.com/questions/161973/how- can-i-forward-a-gpg-key-via-ssh-agent ) but does not work as expected. Did you debug? Rather than creating a TCP socket I would look into using the ssh -W option. //Peter
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 02/13/2013 09:07 PM, Agostino Sarubbo wrote: As most of us do, I do the commit from another machine, not mine. So, for ssh I'm using ssh -A to forward the key and I'm interested to find a way to do it for the gpg key. I found an how-to that uses socat ( http://superuser.com/questions/161973/how- can-i-forward-a-gpg-key-via-ssh-agent ) but does not work as expected. GPG agents do not transport keys, just passphrases. I once used a patch against openssh to enable forwarding of domain sockets, it applies to current 6.1_p1. http://www.25thandclement.com/~william/projects/streamlocal.html Maybe we should add this to our openssh version, I'd appreciate it. This is an example: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo- x86/app-portage/splat/Manifest?revision=1.45view=markup The manifest apparently is signed, but there is no really gpg sign. look closely to the output of repoman commit, there is a small gpg failed or somethink like that. -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber x...@gentoo.org
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 02/13/2013 09:23 PM, Peter Stuge wrote: Rather than creating a TCP socket I would look into using the ssh -W option. gpg agent works with unix domain sockets. -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber x...@gentoo.org
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
Michael Weber wrote: Rather than creating a TCP socket I would look into using the ssh -W option. gpg agent works with unix domain sockets. I know. It would look something like socat + ssh -W socat //Peter
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 02/13/2013 09:30 PM, Michael Weber wrote: GPG agents do not transport keys, just passphrases. To stress that, my passphrased key resides on my remote build-box, gpg just askes my local gpg agent for the passphrase. ssh -R /root/.gnupg/S.gpg-agent:/tmp/keyring-michael/gpg b-4 with a persistent location of the unix socket assured by https://xmw.de/dotfiles/bin/new-keyring -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber x...@gentoo.org
[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/12/2013 10:14 PM, William Hubbs wrote: as preparation for the up-coming cvs-git migration of the portage tree, the council is strongly suggesting that from this point forward all developers sign their manifests with their gpg key as described in the developer's manual [1]. ++ We should all put these data into LDAP, too. on dev.gentoo.org .. perl_ldap -b user -M gpgkey gpg-id user perl_ldap -b user -M gpgfingerprint gpg-fingerprint user At least have some lose binding between tree signing keys and dev identities. Or put the whole public key into the ldap. - -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber x...@gentoo.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlEax6cACgkQknrdDGLu8JAHmgD/fMVoUUO5g7iYeFobMy6rWBW8 mVIAoCe2BWZ6XOfPEvEBAI1Ny0ruWaRjI+HEStU3omgNVPUddeLoKJMyK5r0pJiX =37sv -END PGP SIGNATURE-
[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/12/2013 10:14 PM, William Hubbs wrote: If you have any questions on this, please feel free to let us know. What is the rotation strategy for (near) outdated keys? Alter the key or create a new one? Sign the new with the old one? IMHO the answer to these questions is not obvious nor given by (our) docu [1]. Maybe, add keep ldap id/fingerprint synchronized there, too. [1] http://devmanual.gentoo.org/general-concepts/manifest/index.html - -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber x...@gentoo.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlEazGMACgkQknrdDGLu8JBXygD8CalxwI4y7kxbqYwyXcyohtbW 7xICGdFgIDA8jH7v4poA/RrtQTxwmmzE4g53Eyg8RBKxEIa0BmAZUaAMIyM9ntdq =XOfU -END PGP SIGNATURE-
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote: On 02/12/2013 10:14 PM, William Hubbs wrote: If you have any questions on this, please feel free to let us know. What is the rotation strategy for (near) outdated keys? Alter the key or create a new one? Sign the new with the old one? If your keysize is still good, you should ideally update the expiry on the key and re-upload it to keyservers. IMHO the answer to these questions is not obvious nor given by (our) docu [1]. I'm pretty sure it was in the devrel developer handbook at one point, along with instructions to create your key, but I can't find it now. Maybe, add keep ldap id/fingerprint synchronized there, too. http://www.gentoo.org/proj/en/infrastructure/ldap.xml#doc_chap3 -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Tue, 12 Feb 2013 15:14:15 -0600 William Hubbs willi...@gentoo.org wrote: All, as preparation for the up-coming cvs-git migration of the portage tree, the council is strongly suggesting that from this point forward all developers sign their manifests with their gpg key as described in the developer's manual [1]. If you have any questions on this, please feel free to let us know. On behalf of the council, William [1] http://devmanual.gentoo.org/general-concepts/manifest/index.html It would help if repoman noticed when you have FEATURES=-sign. :-\ jer
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Wed, 13 Feb 2013 01:47:34 +0100 Jeroen Roovers j...@gentoo.org wrote: It would help if repoman noticed when you have FEATURES=-sign. :-\ https://bugs.gentoo.org/show_bug.cgi?id=457034 jer
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers j...@gentoo.org wrote: On Wed, 13 Feb 2013 01:47:34 +0100 Jeroen Roovers j...@gentoo.org wrote: It would help if repoman noticed when you have FEATURES=-sign. :-\ https://bugs.gentoo.org/show_bug.cgi?id=457034 We can do the opposite, and just complain if we see unsigned manifests fly by. -A jer
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On Tue, 12 Feb 2013 17:07:33 -0800 Alec Warner anta...@gentoo.org wrote: On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers j...@gentoo.org wrote: On Wed, 13 Feb 2013 01:47:34 +0100 Jeroen Roovers j...@gentoo.org wrote: It would help if repoman noticed when you have FEATURES=-sign. :-\ https://bugs.gentoo.org/show_bug.cgi?id=457034 We can do the opposite, and just complain if we see unsigned manifests fly by. The background here is that I set up a new system and forgot to set FEATURES=sign before I went on to do commits from that system. It's not like I set FEATURES=-sign on purpose. :) jer
Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests
On 02/13/2013 12:28 AM, Robin H. Johnson wrote: On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote: On 02/12/2013 10:14 PM, William Hubbs wrote: If you have any questions on this, please feel free to let us know. What is the rotation strategy for (near) outdated keys? Alter the key or create a new one? Sign the new with the old one? If your keysize is still good, you should ideally update the expiry on the key and re-upload it to keyservers. Can you commit this to the document, please? IMHO the answer to these questions is not obvious nor given by (our) docu [1]. I'm pretty sure it was in the devrel developer handbook at one point, along with instructions to create your key, but I can't find it now. Maybe, add keep ldap id/fingerprint synchronized there, too. http://www.gentoo.org/proj/en/infrastructure/ldap.xml#doc_chap3 That does tell how to update the data, but does not suggest to do so. My main concern is the cross-referencing of our documentation. I'm aware that there is a ton of documentation splattered all over the place and outside our infra. But besides the non-trivial step to become a dev (as mentioned last week) there is a certain non-trivial step to keep one, esp. by gathering the non-routine informations and fast-forward developments. -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber x...@gentoo.org
