On Wed, Dec 16, 2020 at 11:48 PM desultory <desult...@gentoo.org> wrote: > > On 12/16/20 03:01, Michał Górny wrote: > > On Tue, 2020-12-15 at 23:37 -0500, Aaron W. Swenson wrote: > >> On 2020-12-15 11:16, Michael Orlitzky wrote: > >>> On 12/15/20 11:11 AM, Thomas Deutschmann wrote: > >>>> > >>>> What do you mean exactly? > >>>> > >>>> For Gentoo tooling, only Gentoo keyservers are important and > >>>> Gentoo no longer synchronizes with any other pool. > >>>> > >>> "The Gentoo developer tooling explicitly checks the Gentoo > >>> keyserver > >>> pool with a much higher frequency" strongly implies that we check > >>> the > >>> non-Gentoo pools with a non-zero frequency. > >>> > >>> > >> > >> I'm with Michael on this. I've recently experienced this issue myself > >> as the > >> instruction to upload the key to the Gentoo keyserver is separate > >> from the > >> GLEP63[1] document. It doesn't matter that the step is documented if > >> the Holy > >> Tome GLEP63 doesn't mention it. What hint would I have to look for a > >> supplemental document to provide that specific step? > >> > >> According to GLEP 63, uploading to the SKS keyserver is a > >> requirement. > >> However, it fails to specify which SKS keyserver. In fact, neither > >> "SKS" nor > >> "keyserver" are defined in GLEP63. Ergo, the natural interpretation > >> is *anything* > >> that's called an SKS keyserver will satisfy the requirement. As long > >> as the > >> developer can submit the key, the requirement is met. > >> > >> Additionally, the supplemental document[2] doesn't say developers > >> must upload > >> via an internal host, but that devs should upload to both SKS and the > >> Gentoo > >> keyserver. Yes, it says the Gentoo keyserver is currently restricted > >> to syncing > >> with "authorized Gentoo hosts", but that's a nonsense phrase and > >> unhelpful. It > >> assumes I know what the authorized Gentoo hosts are. It doesn't > >> clearly state > >> what they are. It kind of hints that it will pull from SKS > >> eventually, but it > >> could take a long time. > >> > >> I understand we temporarily stopped syncing with the public keyserver > >> out of an > >> overabundance of caution. However, that shouldn't have been done > >> without > >> updating every official Gentoo resource regarding how devs should > >> handle their > >> keys, which as far as I know is only two documents[1,2]. A whopping 2 > >> documents. > >> > >> This new (I know it's been around for a year but that doesn't make it > >> any less > >> new), stricter requirement, should be **explicitly** stated in > >> GLEP63, properly > >> referencing the justification[3], and linking to the infra > >> supplemental > >> document. The infra supplemental document needs to then use the > >> phrase "must" in > >> place of "should" when informing readers to upload to two different > >> locations. > > > > ...and what have you done to resolve the problem, except for making > > oververbose complaints and demands in middle of some random thread? > > > Discuss it, which is more than you have done here. There is no need to > berate signal because you feel like making noise. > > Formulating and discussing ways to fix problems before actually fixing > them helps to reduce effort wasted on rebuilding old solutions which > have failed for whatever reason. In this case documentation needs to be > updated, discussing the appropriate manner in which to update which > documentation seems to be more grounds for engagement than recrimination. > > On the subject of updating the documentation, the proposal seems > generally sound; do you have any constructive criticism of it? >
So I can understand where Michał's reaction comes from. On my first read through Aaron's message, it seemed like a long email complaining about things that had been done wrong. Upon re-reading it with a different mindset, it doesn't seem so bad if you skip over some of the text. For example, I don't think the paragraph below is necessary, and could evoke a defensive reaction from the recipient. > I understand we temporarily stopped syncing with the public keyserver out of > an > overabundance of caution. However, that shouldn't have been done without > updating every official Gentoo resource regarding how devs should handle their > keys, which as far as I know is only two documents[1,2]. A whopping 2 > documents. I think a shorter email simply requesting that the documentation be updated would have sufficed.
