From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Eric Bavier <bavier@posteo.net>
Cc: guix-devel@gnu.org
Subject: Re: New signing key
Date: Tue, 29 Jun 2021 16:40:35 +0200 [thread overview]
Message-ID: <87eeckbs8d.fsf@nckx> (raw)
In-Reply-To: <87wnqcrbdm.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 1577 bytes --]
Question: I think committers should be trusted with discretion in
how they prefer to manage their keys, but how about briefly
documenting a suggested sane key-management strategy to new
committers, like we already describe some rando's editor set-up?
:-)
I don't think most people *insist* on their current one, it's just
what they know; and GPG is complex and gnarly.
Eric Bavier <bavier@posteo.net> skribis:
> In this case, the old key had already expired. I think others
> here
> have reset the expiry date on their keys before?
Limiting validity to 1…2y is considered good hygiene, as is simply
extending the date whenever it's about to expire. It proves you
still control the private key. It doesn't matter if you miss the
deadline.
It's what I'd suggest for Guix because it gives committers full
control over renewal without the inherent risk of updating the
keyring & .guix-authorizations each time. It also makes such
commits less routine, which I think is good…
> I like the idea of honoring the expiration dates I set
Excellent, but ^ this…
> and creating a new key.
…doesn't imply ^ this.
Signing your existing key with a new expiry date is just as
honourable^Wsecure, and much less hassle. You would have avoided
the delay you encountered here. Others would get a better error
message (‘expired’ vs. now ‘unknown’). Etc.
I'm not aware of any authority on best practices that would claim
the opposite, but if you are, I'd be grateful to hear about it!
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
next prev parent reply other threads:[~2021-06-29 15:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-15 3:05 New signing key Eric Bavier
2021-06-22 21:52 ` Eric Bavier
2021-06-23 13:48 ` Ludovic Courtès
2021-06-23 16:05 ` Eric Bavier
2021-06-29 14:31 ` Ludovic Courtès
2021-06-29 14:40 ` Tobias Geerinckx-Rice [this message]
2021-06-29 16:06 ` Eric Bavier
2021-08-11 10:08 ` Ludovic Courtès
2021-08-17 7:46 ` zimoun
-- strict thread matches above, loose matches on Subject: below --
2023-07-24 2:26 Leo Famulari
2023-12-12 16:37 ` Maxim Cournoyer
2020-07-16 23:45 New Signing Key Brett Gilio
2020-07-18 19:35 ` Tobias Geerinckx-Rice
2020-03-05 17:13 New signing key Ludovic Courtès
2020-03-05 20:06 ` Roel Janssen
2020-03-05 20:16 ` Tobias Geerinckx-Rice
2018-04-23 18:20 Jan Nieuwenhuizen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eeckbs8d.fsf@nckx \
--to=me@tobias.gr \
--cc=bavier@posteo.net \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.