On Thu, Apr 25, 2019 at 4:55 PM Kristian Fiskerstrand <k...@gentoo.org> wrote: > > Quite frankly I'd expect a Gentoo Developer to be able to manage the gpg > interface. >
Being able to is not the same as caring enough to be bothered with it... I don't want to custom-tailor my Gentoo key. I just want to generate a key that will make the commit scripts happy. The key is completely disposable from a personal standpoint - when the GLEP was recently revised to make my old key no longer valid, I just generated a new one. I didn't even bother revoking the old one, since it had no function as soon as I changed the fingerprint in LDAP. I was generating PGP keys back when it used idea and I'm guessing md5. I've had gpg keys for decades. I used my personal one for Gentoo until the point where there were specific requirements for a Gentoo key, and rather than try to personally live with the Gentoo requirements it makes far more sense to just generate a Gentoo-specific key. Then we can change the GLEP as often as we like it it really doesn't bother me much. I can just discard my key and create a new one, though it would be nice if those creating the GLEPs would actually document the simplest way to do this for those who really can't be bothered to read the man page. I mean, I'd expect any Gentoo dev to be able to figure out how to use git as well, but git also has a terrible command line interface, so rather than put a bunch of requirements in a document and force everybody to dig through manpages to get it to generate signed commits/pushes/etc we just give a handy workflow. After all, our goal is to maintain the repo, not spend all day independently decipering how to sign pushes or figuring out that a commit sig and a push sig are two different things. Personally I think we ought to make it easier to just use the Nitrokeys we spent all this money on in a more secure manner than just leaving primary keys lying around on hard drives, which is where I suspect the vast majority will reside, completely negating the expense the Foundation and Nitrokey both went through to provide them for us. While I'm all for GLEPs themselves sticking to specs, having a workflow document to go along with it would go a long way to helping devs to comply, rather than spending all our effort writing increasingly clever scripts to yell at them when they aren't complying. -- Rich
