[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: State of the debian keyring

On Mon, Feb 24, 2014 at 11:35 AM, Lucas Nussbaum <lucas@debian.org> wrote:
> Hi,
> On 22/02/14 at 20:57 -0500, Andrew Starr-Bochicchio wrote:
>> Has there been any analysis of how active the developers are? I'd
>> hazard to guess that a good number should be moved to emeritus status.
>> Perhaps we should do a ping of developers with 1024 bit keys?
> I've done a quick hack using UDD:
> http://udd.debian.org/cgi-bin/gpg1024.cgi
> A large number of people still using 1024 bit keys are very active DDs.

I believe I have an idea that's better than the status quo, and is
actionable now without potentially crippling the project. Please let
me know if I am missing something significant.

Perhaps we could create a new "transition role" GPG identity, that
would be administered by the keyring maintainers and would sign any
requests for changing to a strong key that are signed by the same DD's
weak key. We would allow DDs to use the new strong key to do their
work for a limited period of time, while they seek the required two DD
signatures. (Say 12 months, but this is fungible.) I am proposing a
role key, so it doesn't get confused with "real sigs" and we can
easily track who still needs real sigs.

Obviously as DDs switched to srong keys using this option, their old
1024 bit keys would be disabled, but to really make this better than
the status quo, we would need to couple this with a policy to set a
fairly aggressive date for disabling any 1024 bit keys. (Basically
just enough time for keyring maintainers to absorb the influx of key
change requests from active DDs.)

This prevents us from having to wait for everyone to get their 2 sigs
to move to stronger security. It also means we can as a project set a
relatively aggressive date of turning off 1024-bit keys.

The biggest drawback I foresee is that this does put a large burst of
workload on the keyring maintainers.  (I suspect however this
shouldn't be a showstopper, as we could make approval contingent on
having enough extra volunteers to implement it.)


P.S. - We could even give a certain grace period, after disabling 1024
bit keys, to allow DDs to use the same process if they someone missed
the announcements and get stuck being unable to upload. (This way we
can be even more aggressive about turning off the 1024bit keys.)

Reply to: