Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Michael Weber
On 02/13/2013 09:30 PM, Michael Weber wrote: > GPG agents do not transport keys, just passphrases. To stress that, my passphrased key resides on my remote build-box, gpg just askes my local gpg agent for the passphrase. ssh -R /root/.gnupg/S.gpg-agent:/tmp/keyring-michael/gpg b-4 with a persiste

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Peter Stuge
Michael Weber wrote: > > Rather than creating a TCP socket I would look into using the ssh -W > > option. > gpg agent works with unix domain sockets. I know. It would look something like socat + ssh -W socat //Peter

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Michael Weber
On 02/13/2013 09:23 PM, Peter Stuge wrote: > Rather than creating a TCP socket I would look into using the ssh -W > option. gpg agent works with unix domain sockets. -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Michael Weber
On 02/13/2013 09:07 PM, Agostino Sarubbo wrote: > As most of us do, I do the commit from another machine, not mine. So, for ssh > I'm using ssh -A to forward the key and I'm interested to find a way to do it > for the gpg key. > > I found an how-to that uses socat ( http://superuser.com/question

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Peter Stuge
Agostino Sarubbo wrote: > I'm using ssh -A to forward the key and I'm interested to find a > way to do it for the gpg key. > > I found an how-to that uses socat ( http://superuser.com/questions/161973/how- > can-i-forward-a-gpg-key-via-ssh-agent ) but does not work as expected. Did you debug? Ra

[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Agostino Sarubbo
On Tuesday 12 February 2013 15:14:15 William Hubbs wrote: > All, > > as preparation for the up-coming cvs->git migration of the portage tree, > the council is strongly suggesting that from this point forward all > developers sign their manifests with their gpg key as described in the > developer's

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Michael Weber
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/13/2013 06:22 PM, Aaron W. Swenson wrote: > There's nothing Gentoo specific about it. I don't see why we would > need to officially document an official document. The most we > should do is point people to the resource. So, please link to this

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Aaron W. Swenson
On Wed, Feb 13, 2013 at 07:58:30PM +0200, Eray Aslan wrote: > On Wed, Feb 13, 2013 at 05:22:14PM +, Aaron W. Swenson wrote: > > I agree. This is officially documented by GnuPG. [1] That would be the > > best source to use. It details everything one needs to do to manage a > > key pair. > > Goo

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Eray Aslan
On Wed, Feb 13, 2013 at 05:22:14PM +, Aaron W. Swenson wrote: > I agree. This is officially documented by GnuPG. [1] That would be the > best source to use. It details everything one needs to do to manage a > key pair. Good luck having people find and read it. Similar to (or perhaps linking t

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Diego Elio Pettenò
On 13/02/2013 18:46, "Paweł Hajdan, Jr." wrote: > What is considered a good key size these days? As far as I can tell, 2048 rsa should be still fine. Just drop DSA and anything 1024 I would suggest. -- Diego Elio Pettenò — Flameeyes flamee...@flameeyes.eu — http://blog.flameeyes.eu/

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Paweł Hajdan, Jr.
On 2/13/13 12:28 AM, Robin H. Johnson wrote: > On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote: >> What is the rotation strategy for (near) outdated keys? >> Alter the key or create a new one? Sign the new with the old one? > If your keysize is still good, you should ideally update th

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Aaron W. Swenson
On Wed, Feb 13, 2013 at 09:35:56AM -0700, Denis Dupeyron wrote: > On Wed, Feb 13, 2013 at 8:31 AM, Aaron W. Swenson > wrote: > > This information, by the way, has been blogged about thousands of > > times. > > There is a reason people write documentation. Contrary to blog posts, > documentation

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Eray Aslan
On Wed, Feb 13, 2013 at 09:35:56AM -0700, Denis Dupeyron wrote: > If you want people to handle security properly you have to tell them > how to. In details. If not everybody will figure it out in his or her > own way, all of them wrong. Get off your high horse and write > documentation if you know

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Denis Dupeyron
On Wed, Feb 13, 2013 at 8:31 AM, Aaron W. Swenson wrote: > This information, by the way, has been blogged about thousands of > times. There is a reason people write documentation. Contrary to blog posts, documentation is thought out, reviewed, maintained and corrected when necessary. Blogs are wr

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Thomas Sachau
Michael Weber schrieb: > On 02/12/2013 10:14 PM, William Hubbs wrote: >> as preparation for the up-coming cvs->git migration of the portage >> tree, the council is strongly suggesting that from this point >> forward all developers sign their manifests with their gpg key as >> described in the devel

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Markos Chandras
On 13 February 2013 15:31, Aaron W. Swenson wrote: > On Wed, Feb 13, 2013 at 01:20:39PM +0100, Michael Weber wrote: >> On 02/13/2013 11:55 AM, Markos Chandras wrote: >> > http://www.gentoo.org/doc/en/gnupg-user.xml >> > >> still no hint what to do on expiration (as every single other "gpg howto").

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Aaron W. Swenson
On Wed, Feb 13, 2013 at 01:20:39PM +0100, Michael Weber wrote: > On 02/13/2013 11:55 AM, Markos Chandras wrote: > > http://www.gentoo.org/doc/en/gnupg-user.xml > > > still no hint what to do on expiration (as every single other "gpg howto"). > It depends. What do you want to do when it expires?

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Michael Weber
On 02/13/2013 11:55 AM, Markos Chandras wrote: > http://www.gentoo.org/doc/en/gnupg-user.xml > still no hint what to do on expiration (as every single other "gpg howto"). -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Markos Chandras
On 12 February 2013 23:28, Robin H. Johnson wrote: > >> IMHO the answer to these questions is not obvious nor given by (our) >> docu [1]. > I'm pretty sure it was in the devrel developer handbook at one point, > along with instructions to create your key, but I can't find it now. This one? http:

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Ben de Groot
On 13 February 2013 15:07, Michael Weber wrote: > On 02/13/2013 12:28 AM, Robin H. Johnson wrote: >> On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote: >>> On 02/12/2013 10:14 PM, William Hubbs wrote: If you have any questions on this, please feel free to let us know. >>> Wha

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-13 Thread Fabian Groffen
On 13-02-2013 02:15:48 +0100, Jeroen Roovers wrote: > On Tue, 12 Feb 2013 17:07:33 -0800 > Alec Warner wrote: > > > On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers > > wrote: > > > On Wed, 13 Feb 2013 01:47:34 +0100 > > > Jeroen Roovers wrote: > > > > > >> It would help if repoman noticed when

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-12 Thread Michael Weber
On 02/13/2013 12:28 AM, Robin H. Johnson wrote: > On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote: >> On 02/12/2013 10:14 PM, William Hubbs wrote: >>> If you have any questions on this, please feel free to let us >>> know. >> What is the rotation strategy for (near) outdated keys? >>

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-12 Thread Jeroen Roovers
On Tue, 12 Feb 2013 17:07:33 -0800 Alec Warner wrote: > On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers > wrote: > > On Wed, 13 Feb 2013 01:47:34 +0100 > > Jeroen Roovers wrote: > > > >> It would help if repoman noticed when you have FEATURES=-sign. :-\ > > > > https://bugs.gentoo.org/show_bug.

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-12 Thread Alec Warner
On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers wrote: > On Wed, 13 Feb 2013 01:47:34 +0100 > Jeroen Roovers wrote: > >> It would help if repoman noticed when you have FEATURES=-sign. :-\ > > https://bugs.gentoo.org/show_bug.cgi?id=457034 We can do the opposite, and just complain if we see unsig

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-12 Thread Jeroen Roovers
On Wed, 13 Feb 2013 01:47:34 +0100 Jeroen Roovers wrote: > It would help if repoman noticed when you have FEATURES=-sign. :-\ https://bugs.gentoo.org/show_bug.cgi?id=457034 jer

[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-12 Thread Jeroen Roovers
On Tue, 12 Feb 2013 15:14:15 -0600 William Hubbs wrote: > All, > > as preparation for the up-coming cvs->git migration of the portage > tree, the council is strongly suggesting that from this point forward > all developers sign their manifests with their gpg key as described > in the developer's

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-12 Thread Robin H. Johnson
On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote: > On 02/12/2013 10:14 PM, William Hubbs wrote: > > If you have any questions on this, please feel free to let us > > know. > What is the rotation strategy for (near) outdated keys? > Alter the key or create a new one? Sign the new with

[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-12 Thread Michael Weber
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/12/2013 10:14 PM, William Hubbs wrote: > If you have any questions on this, please feel free to let us > know. What is the rotation strategy for (near) outdated keys? Alter the key or create a new one? Sign the new with the old one? IMHO the a

[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

2013-02-12 Thread Michael Weber
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/12/2013 10:14 PM, William Hubbs wrote: > as preparation for the up-coming cvs->git migration of the portage > tree, the council is strongly suggesting that from this point > forward all developers sign their manifests with their gpg key as > de