On Tue, 2020-12-15 at 23:37 -0500, Aaron W. Swenson wrote: > On 2020-12-15 11:16, Michael Orlitzky wrote: > > On 12/15/20 11:11 AM, Thomas Deutschmann wrote: > > > > > > What do you mean exactly? > > > > > > For Gentoo tooling, only Gentoo keyservers are important and > > > Gentoo no longer synchronizes with any other pool. > > > > > "The Gentoo developer tooling explicitly checks the Gentoo > > keyserver > > pool with a much higher frequency" strongly implies that we check > > the > > non-Gentoo pools with a non-zero frequency. > > > > > > I'm with Michael on this. I've recently experienced this issue myself > as the > instruction to upload the key to the Gentoo keyserver is separate > from the > GLEP63[1] document. It doesn't matter that the step is documented if > the Holy > Tome GLEP63 doesn't mention it. What hint would I have to look for a > supplemental document to provide that specific step? > > According to GLEP 63, uploading to the SKS keyserver is a > requirement. > However, it fails to specify which SKS keyserver. In fact, neither > "SKS" nor > "keyserver" are defined in GLEP63. Ergo, the natural interpretation > is *anything* > that's called an SKS keyserver will satisfy the requirement. As long > as the > developer can submit the key, the requirement is met. > > Additionally, the supplemental document[2] doesn't say developers > must upload > via an internal host, but that devs should upload to both SKS and the > Gentoo > keyserver. Yes, it says the Gentoo keyserver is currently restricted > to syncing > with "authorized Gentoo hosts", but that's a nonsense phrase and > unhelpful. It > assumes I know what the authorized Gentoo hosts are. It doesn't > clearly state > what they are. It kind of hints that it will pull from SKS > eventually, but it > could take a long time. > > I understand we temporarily stopped syncing with the public keyserver > out of an > overabundance of caution. However, that shouldn't have been done > without > updating every official Gentoo resource regarding how devs should > handle their > keys, which as far as I know is only two documents[1,2]. A whopping 2 > documents. > > This new (I know it's been around for a year but that doesn't make it > any less > new), stricter requirement, should be **explicitly** stated in > GLEP63, properly > referencing the justification[3], and linking to the infra > supplemental > document. The infra supplemental document needs to then use the > phrase "must" in > place of "should" when informing readers to upload to two different > locations.
...and what have you done to resolve the problem, except for making oververbose complaints and demands in middle of some random thread? -- Best regards, Michał Górny
