On Thu, 2020-12-17 at 15:15 -0500, Mike Gilbert wrote: > On Thu, Dec 17, 2020 at 3:03 PM Aaron W. Swenson > <titanof...@gentoo.org> wrote: > > > > On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote: > > > Signed-off-by: Mike Gilbert <flop...@gentoo.org> > > > --- > > > > > > v2: Added "This upload is required in addition to uploading the > > > SKS pool." > > > > > > glep-0063.rst | 24 ++++++++++++++++++++---- > > > 1 file changed, 20 insertions(+), 4 deletions(-) > > > > > > diff --git a/glep-0063.rst b/glep-0063.rst > > > index 82541bd..ec465db 100644 > > > --- a/glep-0063.rst > > > +++ b/glep-0063.rst > > > @@ -7,10 +7,10 @@ Author: Robin H. Johnson <robb...@gentoo.org>, > > > Michał Górny <mgo...@gentoo.org> > > > Type: Standards Track > > > Status: Final > > > -Version: 2.1 > > > +Version: 2.2 > > > Created: 2013-02-18 > > > -Last-Modified: 2019-11-07 > > > -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 > > > +Last-Modified: 2020-12-17 > > > +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, > > > 2020-12-17 > > > Content-Type: text/x-rst > > > --- > > > > > > @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo > > > Linux distribution. > > > Changes > > > ======= > > > > > > +v2.2 > > > + Added "Gentoo Keyserver" section under "Gentoo Infrastructure" > > > chapter. > > > + > > > v2.1 > > > A requirement for an encryption key has been added, in order to > > > extend > > > the GLEP beyond commit signing and into use of OpenPGP for dev- > > > to-dev > > > @@ -135,8 +138,11 @@ their primary key). > > > > > > 5. Encrypted backup of your secret keys. > > > > > > +Gentoo Infrstructure > > > +==================== > > > + > > > Gentoo LDAP > > > -=========== > > > +----------- > > > > > > All Gentoo developers must list the complete fingerprint for > > > their primary > > > keys in the "``gpgfingerprint``" LDAP field. It must be exactly > > > 40 hex digits, > > > @@ -147,6 +153,16 @@ of the fingerprint field. In any place that > > > presently displays > > > the "``gpgkey``" field, the last 16 hex digits of the fingerprint > > > should > > > be displayed instead. > > > > > > +Gentoo Keyserver > > > +---------------- > > > + > > > +Gentoo infrastructure uses a keyserver that is isolated from the > > > SKS pool. > > > +This keyserver is restricted to accepting uploads from > > > authorized Gentoo hosts. > > > +A script is provided on dev.gentoo.org to allow developers to > > > upload their > > > +keys. This upload is required in addition to uploading to the > > > SKS pool. > > > + > > > +``gpg --export KEYID | ssh dev.gentoo.org > > > /usr/local/bin/openpgp-key-upload`` > > > + > > > Backwards Compatibility > > > ======================= > > > > > > -- > > > 2.30.0.rc0 > > > > > > > > > > Thanks for doing this! You beat me to the punch. I was going to try > > getting to > > it tomorrow. > > > > It may be good to also change step 7 under "Bare minimum > > requirements" to read: > > > > 7. Upload your key to the Gentoo Keyserver before usage! > > > > It'd give skimmers a trigger to look for the Gentoo keyserver info. > > Sure, happy to make that change. > > > We might want to add "Upload to the SKS or some other public PGP > > pool" under > > "Recommendations", but that's probably beyond the scope of the > > document now. > > I think it makes sense to move the SKS instruction to the > recommendations section. > > > Lastly, should we have a link to the step-by-step guide? [1] > > > > [1]: > > https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys > > I'm not sure I like the idea of referring the user to a wiki article > in the GLEP. What do others think of this? > > If others agree, please propose some language/location to insert it, > or send a patch of your own (feel free to use my patch as a starting > point). >
I think we should actually have some dedicated info page purely for Infra keyserver. Possibly by replacing the index of https://keys.gentoo.org. Infra will look into it. -- Best regards, Michał Górny
