On Tue, 16 Oct 2012 22:54:04 +
Robin H. Johnson robb...@gentoo.org wrote:
Previously, the PORTAGE_GPG_KEY variable has allowed ANY argument, and
passed it to GPG, letting GPG use that. This was intended to explicitly
be a unique identifier for a key (or subkey).
However, it seems that
On 10/17/2012 12:16 AM, Michał Górny wrote:
On Tue, 16 Oct 2012 22:54:04 +
Robin H. Johnson robb...@gentoo.org wrote:
As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what
was originally intended.
- You must specify a key or subkey exactly.
- The leading 0x is
On 17.10.2012 03:30, Patrick Lauer wrote:
On 10/17/12 06:54, Robin H. Johnson wrote:
Hi all,
One of the items that has come up in the Git conversion, and needs some
attention.
[snip]
As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what
was originally intended.
- You
On Oct 17, 2012 6:57 AM, Robin H. Johnson robb...@gentoo.org wrote:
Hi all,
One of the items that has come up in the Git conversion, and needs some
attention.
Previously, the PORTAGE_GPG_KEY variable has allowed ANY argument, and
passed it to GPG, letting GPG use that. This was intended to
On Wed, Oct 17, 2012 at 08:53:14AM +0800, Ben de Groot wrote:
Additionally, while we are NOT enforcing the use of long key-ids
presently, I strongly encourage ALL developers to move to using them,
due to known attacks against short ids:
On 10/17/12 06:54, Robin H. Johnson wrote:
Hi all,
One of the items that has come up in the Git conversion, and needs some
attention.
[snip]
As such, we've decided to make the PORTAGE_GPG_KEY strictly enforce what
was originally intended.
- You must specify a key or subkey exactly.
On Tue, Oct 16, 2012 at 9:30 PM, Patrick Lauer patr...@gentoo.org wrote:
That's nice. Can we also add some basic policies on key format (key
length, validity) and get a centrally-hosted keyring?
Then it'd even make sense for us to start using the whole signing thing
now :)
Well, if we're
Rich Freeman wrote:
PKI becomes a nightmare if anybody but devs sign, and when we move to
git it won't really be possible to have anybody else sign anyway
unless we allow merge commits, which is just a whole different mess.
I'm not sure? Signatures can be made on anything by anyone and stored