From MAILER-DAEMON Wed Dec 01 21:47:42 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1msc8L-0000dW-Tv for mharc-bug-standards@gnu.org; Wed, 01 Dec 2021 21:47:42 -0500 Received: from eggs.gnu.org ([209.51.188.92]:43826) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msc8I-0000cZ-TX for bug-standards@gnu.org; Wed, 01 Dec 2021 21:47:38 -0500 Received: from rt.gnu.org ([74.94.156.212]:35064) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msc8I-0000hd-Gj for bug-standards@gnu.org; Wed, 01 Dec 2021 21:47:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=rt-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:Subject:to; bh=uu4cgWFNl6kDoeR3+z3lc8WKeEaYIeRw5vUIrdWZVWc=; b=L1L3BAGiZCDnWKD/kOoGgxqvG5 gFRoLRltP+0ZJzxGJu+9baewvXG0kWC7Mj5/4g8IJIeCNze/KifqmLE1+PXSrEdB37ndfeg1CVY9M p/NYLsnBwyGkzVxWN10Gi5MMxA9Cdlm0GNKkUtJUVBH58Ojr5zXV+qQA2vX3qfp+IcFFlgRIr8nHp KVI7HUTT5xsAqo9vbld9AA8V+2v+HogQs+P8g3FtlAa7OiAigqqV/G74Jl3yh3qVBNzYhvQus/8f3 CjxLjoLUNUYYHBakBHSnv50m1amuiBthnKnhdKxd8WG+mePHxH6GD+BXMzFEk4Nd1mRguEy18xKOe eriTER0w==; Received: from www-data by rt.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1msc8I-000674-6e for bug-standards@gnu.org; Wed, 01 Dec 2021 21:47:38 -0500 Subject: [gnu.org #1783839] Updating info about fencepost account availability From: "Jason Self via RT" Reply-To: webmasters-comment@gnu.org In-Reply-To: References: Message-ID: X-RT-Loop-Prevention: gnu.org X-RT-Ticket: gnu.org #1783839 X-Managed-BY: RT 4.2.16-14-g9a593ee (http://www.bestpractical.com/rt/) X-RT-Originator: jself@gnu.org CC: bug-standards@gnu.org Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Precedence: bulk Date: Wed, 01 Dec 2021 21:47:38 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2021 02:47:39 -0000 On Wed Dec 01 15:23:43 2021, Andrew Engelbrecht wrote: > Hello GNU webmasters, > > The following page seems to imply that any GNU contributor may have a > fencepost account. In actuality, only a subset of GNU maintainers have > acess, aside from edge cases like some webmasters, FSF interns, etc. > As far as I can tell, the maintainers who do have access tend to be > either the sole maintainer of a given package, or they serve an > administrative role for that package. The way I know which maintainers > to accept is according to a file maintained by the maintainers@gnu.org > volunteers. > > We shouldn't include all of that detail, but it would be helpful if we > say that some, but not all contributors to GNU may have an account. > > If it stays the same, it's not a big deal, but would likely lead to a > little less frustration for people applying for and being rejected > from getting a fencepost account. > > https://www.gnu.org/software/README.accounts.html > > Thanks, : ) > Andrew If access to fencepost is intended only for maintainers (since the sysadmins check the maintainers file), maybe this page can be merged into maintain.texi and deleted. Add bug-standards@gnu.org to see what they say on the topic. From MAILER-DAEMON Thu Dec 02 01:11:32 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1msfJc-0004fN-Cq for mharc-bug-standards@gnu.org; Thu, 02 Dec 2021 01:11:32 -0500 Received: from eggs.gnu.org ([209.51.188.92]:55198) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msfJa-0004eP-Ts for bug-standards@gnu.org; Thu, 02 Dec 2021 01:11:30 -0500 Received: from de.cellform.com ([88.217.224.109]:46080 helo=jocasta.intra) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msfJY-0001Va-I2; Thu, 02 Dec 2021 01:11:30 -0500 Received: from jocasta.intra (localhost [127.0.0.1]) by jocasta.intra (8.15.2/8.15.2/Debian-22) with ESMTPS id 1B26988T951829 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Thu, 2 Dec 2021 07:09:08 +0100 Received: (from john@localhost) by jocasta.intra (8.15.2/8.15.2/Submit) id 1B2690Ox951828; Thu, 2 Dec 2021 07:09:00 +0100 Date: Thu, 2 Dec 2021 07:09:00 +0100 From: John Darrington To: Jason Self via RT Cc: bug-standards@gnu.org Subject: Re: [gnu.org #1783839] Updating info about fencepost account availability Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=88.217.224.109; envelope-from=john@darrington.wattle.id.au; helo=jocasta.intra X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2021 06:11:31 -0000 My understanding was that all *may* have an account, but only some *do* have an account. In other words, the process is not automatic. I was a GNU maintainer for about 15 years before I got an account. If the FSF sysadmins can arrange for it, I would be quite happy for our maintainers file to be linked to an LDAP resource so that it becomes automatic. This would be very helpful at weeding out accounts for people who stepped down and ceased contribution many years ago. J' On Wed, Dec 01, 2021 at 09:47:38PM -0500, Jason Self via RT wrote: On Wed Dec 01 15:23:43 2021, Andrew Engelbrecht wrote: > Hello GNU webmasters, > > The following page seems to imply that any GNU contributor may have a > fencepost account. In actuality, only a subset of GNU maintainers have > acess, aside from edge cases like some webmasters, FSF interns, etc. > As far as I can tell, the maintainers who do have access tend to be > either the sole maintainer of a given package, or they serve an > administrative role for that package. The way I know which maintainers > to accept is according to a file maintained by the maintainers@gnu.org > volunteers. > > We shouldn't include all of that detail, but it would be helpful if we > say that some, but not all contributors to GNU may have an account. > > If it stays the same, it's not a big deal, but would likely lead to a > little less frustration for people applying for and being rejected > from getting a fencepost account. > > https://www.gnu.org/software/README.accounts.html > > Thanks, : ) > Andrew If access to fencepost is intended only for maintainers (since the sysadmins check the maintainers file), maybe this page can be merged into maintain.texi and deleted. Add bug-standards@gnu.org to see what they say on the topic. From MAILER-DAEMON Thu Dec 02 02:48:40 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1msgpc-0006Zu-3F for mharc-bug-standards@gnu.org; Thu, 02 Dec 2021 02:48:40 -0500 Received: from eggs.gnu.org ([209.51.188.92]:50856) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msgpW-0006Wu-MK for bug-standards@gnu.org; Thu, 02 Dec 2021 02:48:37 -0500 Received: from [2001:470:142:3::e] (port=33666 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msgpW-0001T5-F2; Thu, 02 Dec 2021 02:48:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=lvGLkhXxeVpM17PQuJaLOvn2ldfiIao+4yPbwp2ZL94=; b=a/Z1uiDycROZ Y+9ALAQZq4mO0d/hDzZOob6kTTQD0WFHy6GnmIhMfsRFcDj5aODNL4DgmuU2i6G3KJR4QKteBGEWE L1Raxx6MJcSlKw0Hivq6W35lqUNpZhLV7+1PRDbP0dspgncQSP4qP9BCsZR2o2ToBSPWpJg1FIvHA LOOHYZJgjAjsSnf7b3I2zFO0nEiP5eDsfCaNm7aLPeHcxuTi9XnddRbotWhiyMD2CE5plTsfNIiEk tZ5nFar3BQCQSJtC9DNX/bkobu7XqH9v+9kTrAeiDgyCXKlM2SPpiHhvk/yTvHID9nmHzmvPBwMNW uKrudbOmo/1vVYJIzVMN8g==; Received: from ams by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1msgpW-0005r3-H3; Thu, 02 Dec 2021 02:48:34 -0500 From: "Alfred M. Szmidt" To: webmasters-comment@gnu.org Cc: bug-standards@gnu.org In-Reply-To: (webmasters-comment@gnu.org) Subject: Re: [gnu.org #1783839] Updating info about fencepost account availability References: Message-Id: Date: Thu, 02 Dec 2021 02:48:34 -0500 X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2021 07:48:38 -0000 > The following page seems to imply that any GNU contributor may have a > fencepost account. In actuality, only a subset of GNU maintainers have > acess, aside from edge cases like some webmasters, FSF interns, etc. That is excatly what it means, anyone doing useful work for the GNU project can ask for an account on Fencepost. > If it stays the same, it's not a big deal, but would likely lead to a > little less frustration for people applying for and being rejected > from getting a fencepost account. Why are they being rejected? The critera for an account on Fencepost is not if someone is a GNU maintainer, it is if they are helping the GNU project (which includes both GNU maintainers, contributors, and anyone else who wishes to further the GNU project). We have plenty of users with legitimate access who are not maintainers. Just like the README.accounts file says. If access to fencepost is intended only for maintainers (since the sysadmins check the maintainers file), maybe this page can be merged into maintain.texi and deleted. Fencepost is intedned for all GNU contributors, maintainers or non-maintainers. From MAILER-DAEMON Fri Dec 03 09:31:14 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mt9ak-0003ED-2g for mharc-bug-standards@gnu.org; Fri, 03 Dec 2021 09:31:14 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51682) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mt9ai-00039n-7k for bug-standards@gnu.org; Fri, 03 Dec 2021 09:31:12 -0500 Received: from rt.gnu.org ([74.94.156.212]:58994) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mt9ah-0005RV-VB for bug-standards@gnu.org; Fri, 03 Dec 2021 09:31:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=rt-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:Subject:to; bh=EaACem5DYHjithmjaUUR7HJpvAN7FR/sJoll6qHYMSk=; b=zuLXcfVsNl+Talu43KDAmAMVEw rvdKi4IjNX6JiciL/doLqAVByLYf4M6Kus3rBeTnHuzMTf8sAS/2Vp1/wufRIuyGkw2DY2/9vO0a9 1sTdgb9gI28GqV0Cn2jD/A7/qRwj1mV2XzOFwQGel2XquHhsO6tkSNoFrfUlx099YKCoRt2aKdBcc ZdPct66NAYiXN9CfKc3wYC7FXmS2k9WRspIeSA0bZn8D33pjXzRM/LygwxXsEAmhaWfRZJxMWHNAz qGlCZuZ7zC40rRUyMCZ48qgol8DpGxUQc1/zHO+EHb6PkCI835WHLjIPsif9g7QL87hDzoPeHD06i efuDAf1w==; Received: from www-data by rt.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1mt9ah-0007Nh-Jt for bug-standards@gnu.org; Fri, 03 Dec 2021 09:31:11 -0500 Subject: [gnu.org #1783839] Updating info about fencepost account availability From: "Jason Self via RT" Reply-To: webmasters-comment@gnu.org In-Reply-To: References: Message-ID: X-RT-Loop-Prevention: gnu.org X-RT-Ticket: gnu.org #1783839 X-Managed-BY: RT 4.2.16-14-g9a593ee (http://www.bestpractical.com/rt/) X-RT-Originator: jself@gnu.org CC: bug-standards@gnu.org Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Precedence: bulk Date: Fri, 03 Dec 2021 09:31:11 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2021 14:31:12 -0000 John Darrington wrote: > My understanding was that all *may* have an account, but only some > *do* have an account. In other words, the process is not automatic. > I was a GNU maintainer for about 15 years before I got an account. > > If the FSF sysadmins can arrange for it, I would be quite happy for > our maintainers file to be linked to an LDAP resource so that it > becomes automatic. This would be very helpful at weeding out > accounts for people who stepped down and ceased contribution many > years ago. Okay but without that automation, is what the sysadmins seem to currently be doing (checking the maintainer file on fencepost before granting access) the correct process then? That seems to be an easy and concrete way for the sysadmins to validate requests for access. But if the intention is that it's more nebulous, as ams indicates, how are the sysadmins to validate which requests should be allowed without opening it up such that any random person can send an email and get access? Who is to make that call and how? From MAILER-DAEMON Fri Dec 03 10:25:21 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mtAR7-0008WS-Af for mharc-bug-standards@gnu.org; Fri, 03 Dec 2021 10:25:21 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36794) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mtAR5-0008WJ-7K for bug-standards@gnu.org; Fri, 03 Dec 2021 10:25:20 -0500 Received: from [2001:470:142:3::e] (port=33856 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mtAR4-0004QG-W5; Fri, 03 Dec 2021 10:25:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=kDnK8Tui4Zxb0Ik3p6r3vlPXtgjRQq8dupP43BxPueo=; b=k07lNUltKA0L jWq4YQnlihpN9bEjiopMaOyUrSrKWrl/pOy1mPbetujOXxOgAvrhzjVjPCwwfAEE4oPtarZrNi0S5 OJ7nGrZ6XiuD5KpcJrptVYexFV2EC3dWIU1zwCHTnbFkccDNvsyLBbKCdFx2PCZbNNKnSOep9sBLV 3Id09tcWrk0S0m35pW+/eEtsXPgh094GnszDXzf7GNGZsNqZpt9WUB9Pm1uk+6+WnYwsrtlR/3Zxu 1zlQPTbrR1IgA/raSoGChENnxSxdi349iZjbSH+K/lkS7+586lJHczF8IEf7VxX1pM2/SDe+EEpEL abCb7qbtI4bvRxqt2Ytpsw==; Received: from ams by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1mtAR5-0003SE-2d; Fri, 03 Dec 2021 10:25:19 -0500 From: "Alfred M. Szmidt" To: webmasters-comment@gnu.org Cc: bug-standards@gnu.org In-Reply-To: (webmasters-comment@gnu.org) Subject: Re: [gnu.org #1783839] Updating info about fencepost account availability References: Message-Id: Date: Fri, 03 Dec 2021 10:25:19 -0500 X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2021 15:25:20 -0000 Okay but without that automation, is what the sysadmins seem to currently be doing (checking the maintainer file on fencepost before granting access) the correct process then? That seems to be an easy and concrete way for the sysadmins to validate requests for access. That has never been the correct process. While that way might be easy for the FSF admins, it also excludes and hinders the GNU project by getting more people involved in daily work. Not everything is done by being a maintainer, there are many other roles. But if the intention is that it's more nebulous, as ams indicates, how are the sysadmins to validate which requests should be allowed without opening it up such that any random person can send an email and get access? Who is to make that call and how? I got my account as a random person many many decades ago by just asking -- before that I would login as rms, and my mail was via an alias to a file somewhere world writable. It is true that todays reality might be slightly different being far more hostile and we don't want to repeat the breaches that occured some decades before. So having some higher bar is sensible, for exmaple if another user of FP asks for an account for someone instead of anonymous requests (basically on recommendation) that should be just fine. What we should absolutley not do is to hinder people who are contributing something to the GNU project in roles other than maintainership from getting an account. If they need it, they should get one that has always been how we have done things. From MAILER-DAEMON Mon Dec 13 04:56:36 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mwi4S-00048l-7H for mharc-bug-standards@gnu.org; Mon, 13 Dec 2021 04:56:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:56784) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwi4Q-00047f-Ev for bug-standards@gnu.org; Mon, 13 Dec 2021 04:56:34 -0500 Received: from rt.gnu.org ([74.94.156.212]:41546) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwi4Q-0008IW-6t for bug-standards@gnu.org; Mon, 13 Dec 2021 04:56:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=rt-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:Subject:to; bh=ohbCAzj0kwHCMB1BVKknLtKn30C/Eej0OXhoJC11EkU=; b=CiJrMJoPwVlh78OMEZwDrUStn0 3TMJ/uluIi3EqQ8/FPn4xZrlj0ogkpYTL/QOTOn7g3lvOeUY1TXSEZvzW3Vc7ZXEanjpb9gMV/Gq+ byxFFt4ukZ8MByPjwlh9raEZNM6NIcQrEjPdWxVMEnqO5XX5Wj9XriprnwjsbJ95M+KUEMavilpeu AnFghP3jo4Ez0pmYRxVWLg3Ky0LCr5FyWYuAGf27ezBsJvaxh9Fn92wqUm5KcNPtnoeyApFd8jY8y zi+gmJXZboLNsAvuXDaH2AW1f8D/KHJbBcZiRWrAueyBM9F5kx8wdhMDOsYyMoDhRpS2TY7ge/PM/ NvG0Ro9A==; Received: from www-data by rt.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1mwi4P-0003q1-SK for bug-standards@gnu.org; Mon, 13 Dec 2021 04:56:33 -0500 Subject: [gnu.org #1784615] Textual change regarding ftp-upload instructions From: "Therese Godefroy via RT" Reply-To: webmasters-comment@gnu.org In-Reply-To: References: Message-ID: X-RT-Loop-Prevention: gnu.org X-RT-Ticket: gnu.org #1784615 X-Managed-BY: RT 4.2.16-14-g9a593ee (http://www.bestpractical.com/rt/) X-RT-Originator: godef.th@free.fr CC: bug-standards@gnu.org Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Precedence: bulk Date: Mon, 13 Dec 2021 04:56:33 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2021 09:56:34 -0000 Hello GNU Coding Standards team, I'm forwarding this ticket because, as far as I know, you are in charge of the Maintainers Guide. Best regards, Thérèse Le Jeu 02 Déc 2021 16:36:25, andrew a écrit : > Hello GNU webmasters, > > Could you please change this text: > > - 2. The ASCII armored copy of your GPG key, as an attachment. > + 2. The ASCII armored copy of your GPG key. > > https://www.gnu.org/prep/maintain/html_node/Automated-Upload- > Registration.html#Automated-Upload-Registration > > The current text is a little confusing, because it says that text is > an attachment within a GPG clear signed message, that is itself an > attachment to an email. It seems to imply that people should be using > a special format with email attachment boundaries when composing the > GPG signed message to ftp-upload@gnu.org. > > Thanks, > Andrew From MAILER-DAEMON Mon Dec 13 06:31:57 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mwjYi-00043Z-Dy for mharc-bug-standards@gnu.org; Mon, 13 Dec 2021 06:31:57 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51018) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwjYe-00042D-Ph for bug-standards@gnu.org; Mon, 13 Dec 2021 06:31:53 -0500 Received: from [2001:470:142:3::e] (port=55962 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwjYV-0000wu-GD; Mon, 13 Dec 2021 06:31:52 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=hY5oOTGUuwq712ffpoUvtIUgwgYHhTQjFJMsjoTGTLM=; b=MKJb7FTIVX4R ktv3RzteV/ZPzaTRaGxkpfzNC357Zrnx+/A8HEUA80DaTzcZf0F9kMXtZ3ja3aABrxKAUZ6Dlped3 iG4K128erSjo38CHHhckCe+Bgy4EaERIR65/LK4vO4Jw0DHg+FH3bQMaBNXI6kXcnvVFTW+pamE8j GVa9e/1Ng6rFuNgQFvyAJUym2xiX86bUaHa0Oxw/5GOA8QFpsN9KazQp1QfcyR3Zt0HWUlcfSyuQp REQOru/ejUG5p70IXHtP8oGho8VyCkfRzqHPVg4y7i0Na9z2v5aUDrspeXNE/atSs0fRsowTYOKV9 +IZYoFw34aImUMUZVcQztg==; Received: from ams by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1mwjYT-0003v5-KH; Mon, 13 Dec 2021 06:31:42 -0500 From: "Alfred M. Szmidt" To: webmasters-comment@gnu.org Cc: bug-standards@gnu.org In-Reply-To: (webmasters-comment@gnu.org) Subject: Re: [gnu.org #1784615] Textual change regarding ftp-upload instructions References: Message-Id: Date: Mon, 13 Dec 2021 06:31:41 -0500 X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2021 11:31:53 -0000 > Could you please change this text: > > - 2. The ASCII armored copy of your GPG key, as an attachment. > + 2. The ASCII armored copy of your GPG key. > > https://www.gnu.org/prep/maintain/html_node/Automated-Upload- > Registration.html#Automated-Upload-Registration > > The current text is a little confusing, because it says that text is > an attachment within a GPG clear signed message, that is itself an > attachment to an email. It seems to imply that people should be using > a special format with email attachment boundaries when composing the > GPG signed message to ftp-upload@gnu.org. Not sure I understand the confusion. The your armored GPG key should be put in as an attatchment in the MSGFILE. _THAT_ file inturn needs to be clear-signed as well. What does "special format with email attatchment boundaries" mean here? From MAILER-DAEMON Mon Dec 13 11:13:25 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mwnx7-0003Uu-9a for mharc-bug-standards@gnu.org; Mon, 13 Dec 2021 11:13:25 -0500 Received: from eggs.gnu.org ([209.51.188.92]:44126) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwnx6-0003Tn-AD for bug-standards@gnu.org; Mon, 13 Dec 2021 11:13:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsf.org; s=eggs-gnu-org; h=MIME-Version:In-reply-to:Date:Subject:To:From:References; bh=P+UkPzNzRvrs22EYS4qpsEVCZq/VW/wdcGbk5zedXI0=; b=jSDNz39GAMZT/u7FEUCiWIEQ5 yNIZx5HRv2RNpnwLozfU80Y73A8So5zsljG262cJV4twKFKPAd949wUdI3htGJKSIIkncxPrgG4m0 nQjT8weNS+SAXpKmyAzfIJA7bUq+p/RvHsihn9fWg9rMAiE8ROnIpm1CJjA/D7kYWyTuVk49gk/SO ZH9Aq4jSBVfCTrai8M32XDgF+5eFOQv71BR0uYivs34k8NkXnNJoaVYkZLq8GLTDSdeBH7r4P3Fs7 OH4ZPyXqoLP3EQldS19fyZOvN/0jlegPAedXjFhk7UdNvdjAbL8vTzHsVBvn4sxRxdUb5i07HQZw8 Rv71W3Uxw==; Received: from [2001:470:142::13] (port=39116 helo=mail.fsf.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwnx6-0007Qh-0z; Mon, 13 Dec 2021 11:13:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsf.org; s=mail-fsf-org; h=MIME-Version:In-reply-to:Date:Subject:To:From:References; bh=P+UkPzNzRvrs22EYS4qpsEVCZq/VW/wdcGbk5zedXI0=; b=XSPMq29tdaK4pX7t87r7bZ9ss p5RjfZOH4TxzTENQW2rpvfUmLj8LLCl60+rsz+CQp4rRzmInt/6GZ8hS5N4MVoCo81qzsk2GD1D0f VHIa7Li0Ys6O6cq+e8zjFOsaeP4eE/Cy+RH+wLiUlDBIxGDjrVARaAv81iLf0XGCiBe72KR2WIfWJ CCxvbtfUlxd5AIbuvzmhd/iPJ2ptw1mmby0KRGbfcSsHiTVefhj3t8TnLXg3eYJEtpxpwZYGY7gYB CGVohZ8AfKBWE+UQm2BRH8i6ruX8UuKNXw3ZBgSTOCZULENNM0Amse/RNCy2wpNMjpMEjkx3v8tuk tw8JdnxNA==; Received: from jumpgate.fsf.org ([74.94.156.211]:46240 helo=mail.iankelling.org) by mail.fsf.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwnx5-0005A9-O5; Mon, 13 Dec 2021 11:13:23 -0500 Received: from iank by mail.iankelling.org with local (Exim 4.93) (envelope-from ) id 1mwnx5-00BKKB-26; Mon, 13 Dec 2021 11:13:23 -0500 References: User-agent: mu4e 1.7.0; emacs 28.0.50 From: Ian Kelling To: "Alfred M. Szmidt" Cc: webmasters-comment@gnu.org, bug-standards@gnu.org Subject: Re: [gnu.org #1784615] Textual change regarding ftp-upload instructions Date: Mon, 13 Dec 2021 11:05:26 -0500 In-reply-to: Message-ID: <87fsqw1o0s.fsf@fsf.org> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2021 16:13:24 -0000 "Alfred M. Szmidt" writes: > > Could you please change this text: > > > > - 2. The ASCII armored copy of your GPG key, as an attachment. > > + 2. The ASCII armored copy of your GPG key. > > > > https://www.gnu.org/prep/maintain/html_node/Automated-Upload- > > Registration.html#Automated-Upload-Registration > > > > The current text is a little confusing, because it says that text is > > an attachment within a GPG clear signed message, that is itself an > > attachment to an email. It seems to imply that people should be using > > a special format with email attachment boundaries when composing the > > GPG signed message to ftp-upload@gnu.org. > > Not sure I understand the confusion. The your armored GPG key should > be put in as an attatchment in the MSGFILE. _THAT_ file inturn needs > to be clear-signed as well. > > What does "special format with email attatchment boundaries" mean > here? I see the confusion. The instructions on item 3 say to me: make a text file with 4 things, then clearsign it and attach it. But, one of those 4 things says its should be an attachment, but if its in a text file with other things, it can't also be an attachment on its own. So, I think this patch is good. -- Ian Kelling | Senior Systems Administrator, Free Software Foundation GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF https://fsf.org | https://gnu.org From MAILER-DAEMON Mon Dec 13 12:54:16 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mwpWi-0006a7-BX for mharc-bug-standards@gnu.org; Mon, 13 Dec 2021 12:54:16 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41640) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwpWg-0006ZT-LB for bug-standards@gnu.org; Mon, 13 Dec 2021 12:54:14 -0500 Received: from [2001:470:142:3::e] (port=38812 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwpWc-0007jo-C5; Mon, 13 Dec 2021 12:54:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=UMc0kdBIRUJ7wd+YJoJTgSdVBnDkkOgd/cjQy44utJE=; b=lXRTVfMTxWTA RVkieLJBfF22eN304gnkRxH6iWt/j38aAP/NX4Ik7J9KMzHsJ8lhzw2hmsLvJd1fVp/LGrwOA/dSk IbhlmLtZ2Q3ByK0kMZcld1nhMmKSmysDvwRG/fG3GtHiaa3eQVD/YC3mdewJ307v8oHrm+PGsMimu w/8YqWU9TlQNrt4pC2RFL6xCTguNU2/J56Bpt6ZT5n0AZ/o8yxk6lu01Qlv+RZRjZc+IQSiLogt+2 OLVWAvetSiZzkaNa9y/NJvkpC6EEhRFgWS4Ovz5CWCtOESnMWLA7wnMbzoq+xhBYuMMM23cG9PW8E IMfIGpfVBmL/vTwBMHHslw==; Received: from ams by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1mwpWc-0000ER-Gr; Mon, 13 Dec 2021 12:54:10 -0500 From: "Alfred M. Szmidt" To: Ian Kelling Cc: webmasters-comment@gnu.org, bug-standards@gnu.org In-Reply-To: <87fsqw1o0s.fsf@fsf.org> (message from Ian Kelling on Mon, 13 Dec 2021 11:05:26 -0500) Subject: Re: [gnu.org #1784615] Textual change regarding ftp-upload instructions References: <87fsqw1o0s.fsf@fsf.org> Message-Id: Date: Mon, 13 Dec 2021 12:54:10 -0500 X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Dec 2021 17:54:14 -0000 > > Could you please change this text: > > > > - 2. The ASCII armored copy of your GPG key, as an attachment. > > + 2. The ASCII armored copy of your GPG key. > > > > https://www.gnu.org/prep/maintain/html_node/Automated-Upload- > > Registration.html#Automated-Upload-Registration > > > > The current text is a little confusing, because it says that text is > > an attachment within a GPG clear signed message, that is itself an > > attachment to an email. It seems to imply that people should be using > > a special format with email attachment boundaries when composing the > > GPG signed message to ftp-upload@gnu.org. > > Not sure I understand the confusion. The your armored GPG key should > be put in as an attatchment in the MSGFILE. _THAT_ file inturn needs > to be clear-signed as well. > > What does "special format with email attatchment boundaries" mean > here? I see the confusion. The instructions on item 3 say to me: make a text file with 4 things, But that is not what it says, it says to construct a _message_ that is then sent. Not arguing that the text isn't clear, just that silly me doesn't see the unclearness to suggest a better wording. then clearsign it and attach it. But, one of those 4 things says its should be an attachment, but if its in a text file with other things, it can't also be an attachment on its own. So, I think this patch is good. I'm not sure -- this depends entierly on how ftp-upload@ works. If the expected format is that the GPG key is infact an attachment, then this makes it less clear. Is that the case? Maybe the overall wording could be improved entierly... Or maybe gnupload can do this stuff? From MAILER-DAEMON Mon Dec 13 20:48:51 2021 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1mwwvz-0000AH-LI for mharc-bug-standards@gnu.org; Mon, 13 Dec 2021 20:48:51 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59506) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwwvx-00008q-G2 for bug-standards@gnu.org; Mon, 13 Dec 2021 20:48:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsf.org; s=eggs-gnu-org; h=MIME-Version:In-reply-to:Date:Subject:To:From:References; bh=naPhWvC5Pd8B1FMgC5q+AYYD04wUc5uICBZ7MXli7xg=; b=jMkjXcQ0uTRhDWMC3riS8Tv0J Euc8/h5L/qYw+qB1WAd9iZ6fh2LzwyrYmXDoKK9zpzAm1pV6uj8nKqEmnX4lcBfihInpRIXFK64v9 GivChrflo61IhONDVf38nPn/MiV1I6t1rqhB4vvXzsG2JornQH7hV82D2JaFQ+yWNGqSHq4i31qV5 6prwefOz2oOGE4E3Rx1Kl15njozwE/oRurkP2e7SbhHTU9At0PilptTxHWb1nmtgi8GeRrM8VGpTI XhoFcBnaO7E2n7dH15MwHWS26cXAEPcEnye7v3MT9d+OYPNQ4fQjwKOpSQjkZ/GcKPndTTQC9gIpR 3ASZUvUxA==; Received: from [2001:470:142::13] (port=55096 helo=mail.fsf.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwwvx-0007n5-4A; Mon, 13 Dec 2021 20:48:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fsf.org; s=mail-fsf-org; h=MIME-Version:In-reply-to:Date:Subject:To:From:References; bh=naPhWvC5Pd8B1FMgC5q+AYYD04wUc5uICBZ7MXli7xg=; b=XWn3l3qhl6DjN79vRWKcY5VQ/ Vz7aMkOGuAz5sZ8c05jcZEteORnqycdtxhB6NDSakoG34++DQoHauYXLK05/y6y4O5VcrbZljygKd wo6Rf6sVYGSTqh/ErbePy4eFl7x+cQLrqocD71w78K0eg+flQs99b/t2MVREXL8xZt53PJHh5PNwn 0R7ghDjsVTzBEIVmErd6w/BusRpdiRz4L6hA/XYjm8dFRb9fKuwhyR6IL6wWukaWsMf5ZFIWHv14n ymCef8rMYGlnuiMexnfyu2RMRJIFAxyPJ6czEQ3V2X6Fbet5SHISFAzAJ80gT+L13WuPGyC1MYXyi cfVODnbrQ==; Received: from jumpgate.fsf.org ([74.94.156.211]:46378 helo=mail.iankelling.org) by mail.fsf.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mwwvw-0002kF-SN; Mon, 13 Dec 2021 20:48:48 -0500 Received: from iank by mail.iankelling.org with local (Exim 4.93) (envelope-from ) id 1mwwvw-00CYgP-5a; Mon, 13 Dec 2021 20:48:48 -0500 References: <87fsqw1o0s.fsf@fsf.org> User-agent: mu4e 1.7.0; emacs 28.0.50 From: Ian Kelling To: "Alfred M. Szmidt" Cc: webmasters-comment@gnu.org, bug-standards@gnu.org Subject: Re: [gnu.org #1784615] Textual change regarding ftp-upload instructions Date: Mon, 13 Dec 2021 19:48:42 -0500 In-reply-to: Message-ID: <87sfuwvtvj.fsf@fsf.org> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: bug-standards@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Feedback on the GNU Coding Standards." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2021 01:48:49 -0000 "Alfred M. Szmidt" writes: > > > Could you please change this text: > > > > > > - 2. The ASCII armored copy of your GPG key, as an attachment. > > > + 2. The ASCII armored copy of your GPG key. > > > > > > https://www.gnu.org/prep/maintain/html_node/Automated-Upload- > > > Registration.html#Automated-Upload-Registration > > > > > > The current text is a little confusing, because it says that text is > > > an attachment within a GPG clear signed message, that is itself an > > > attachment to an email. It seems to imply that people should be using > > > a special format with email attachment boundaries when composing the > > > GPG signed message to ftp-upload@gnu.org. > > > > Not sure I understand the confusion. The your armored GPG key should > > be put in as an attatchment in the MSGFILE. _THAT_ file inturn needs > > to be clear-signed as well. > > > > What does "special format with email attatchment boundaries" mean > > here? > > I see the confusion. The instructions on item 3 say to me: make a text > file with 4 things, > > But that is not what it says, it says to construct a _message_ that is > then sent. > > Not arguing that the text isn't clear, just that silly me doesn't see > the unclearness to suggest a better wording. > > then clearsign it and attach it. But, one of those 4 > things says its should be an attachment, but if its in a text file with > other things, it can't also be an attachment on its own. So, I think > this patch is good. > > I'm not sure -- this depends entierly on how ftp-upload@ works. If > the expected format is that the GPG key is infact an attachment, then > this makes it less clear. Is that the case? Maybe the overall > wording could be improved entierly... > > Or maybe gnupload can do this stuff? ftp-upload@gnu.org goes to our request tracker instance, and sysadmins (including me), manually handle every message. A key point is that request tracker mangles all mime signatures, so things should be clearsigned. To handle your confusion about whether it should be a text file, replace "Compose a message with the following items in some /msgfile/." with "Compose a text file, hereafter called /msgfile/, with the items listed below in it." Then the first 3 should be like so: 1. Include a statement such as: "I intend for the GPG keys contained in this signed message to be authorized to upload releases to the GNU release server for the following package(s)", and list the package(s) you want authorize. You must be an official GNU maintainer or uploader for them. 2. Your name, your preferred email address for upload notifications, and your Savannah username. 3. An ASCII armored copy of your GPG key. Then #4 and #5 are the old #3 and #4. The addition to #1, it gets a bit long, so I split it into #1 and #2. They help fix a security issue that has nagged me for a long time: people often sign a message that basically contains their email and a list of packages, and outside of the signed message in the subject is an indication they want to register the signing gpg key for uploads for those packages. The problem is that The signed message itself is ambiguous, there's a remote possibility that they signed that message with some other intent, in some other context, then someone included the signed message in a forged email. Generally, having the gpg key as part of the signed message and not being it's own attachment is slightly better. If it was just attached and someone intercepted and modified the email, they could replace the key with one that added signatures to it, or perhaps some other nonsense. - Ian