Verified Commit 6e23b786 authored by David Runge's avatar David Runge
Browse files

Update issue templates

.gitlab/issue_templates/*:
Replace allan with grazzolini when assigning tickets or when addressing
main key holders.
Streamline the checkbox system, by relying on less interaction from the
main key holders side if possible (e.g. checks on new keys are done
automatically in a merge request, so have contributors open the merge
request).
Add more documentation on what needs to be edited and how to provide
data exactly (e.g. keyid format, clearsigned document).
parent 845dba12
Pipeline #16581 passed with stage
in 20 seconds
......@@ -2,8 +2,12 @@
This template is used when a new main PGP public key needs to be added to the
distribution's keyring.
It is used by users with a valid packager key.
NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
in the "Checks" section labeled as "Owner of new key" need to be checked by the
owner of the new key.
-->
/assign @allan @anthraxx @bluewind @dvzrv @pierre
/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
/label ~"new main key"
/title New main key of <!-- MODIFY: Add new main key holder's username -->
<!--
......@@ -16,18 +20,27 @@ issue and assign relevant users.
## Details
- Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the new PGP public key here -->
- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
- Revocation Certificate Holder: <!-- MODIFY: Add the @-prefixed username of the revocation certificate holder -->
<!--
NOTE: Attach the above information as a clearsigned document to this ticket
using a valid packager key of the user.
https://www.gnupg.org/gph/en/manual/x135.html
MODIFY: Attach the above information of the details section as a clearsigned
document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket
using a valid packager key of the user:
* Select the above text, copy/paste it into a file (e.g. `details.txt`).
* Make sure to sign with the root certificate of the packager key (not any of
the subkeys!):
`gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
* Upload `details.txt` as attachment to this ticket.
-->
## Checks
### New key owner
**NOTE**: The below check boxes **must be** checked before the accompanying
merge request to add the new main key can be merged.
### Owner of new key
- [ ] The [workflow for adding a new main
key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key)
......@@ -38,18 +51,17 @@ https://www.gnupg.org/gph/en/manual/x135.html
a clearsigned document
- [ ] The revocation certificate has been sent in an encrypted message to the
revocation certificate holder
- [ ] The public key has been uploaded to the SKS infrastructure
### Keyring maintainer
- [ ] The key pair has been validated according to the [best
practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
- [ ] The data in the [Details](#details) section is correct and signed with a
valid and trusted packager key, which is part of `pacman-key`
- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
- [ ] A merge request to add the new public key has been created
### Revocation Certificate Holder
- [ ] The revocation certificate has been [verified
as working](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate)
and confirmed in a comment to this issue
- [ ] The revocation certificate has been backed up in a dedicated encrypted backup storage
- [ ] The revocation certificate has been backed up on a dedicated encrypted backup storage medium
### Main key holders
- [ ] The data in the [Details](#details) section is correct and signed with a
valid and trusted packager key, which is already part of `archlinux-keyring`
......@@ -3,8 +3,12 @@ This template is used when a new packager PGP public key needs to be added to
the distribution's keyring.
It is either used by the sponsor of a new packager or by an existing packager
when adding a new key for themself.
NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
in the "Checks" section labeled as "Owner of new key" need to be checked by the
owner of the new key or by a sponsor of a new packager.
-->
/assign @allan @anthraxx @bluewind @dvzrv @pierre
/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
/label ~"new packager key"
/title New packager key of <!-- MODIFY: Add new packager key holder's username -->
<!--
......@@ -17,24 +21,33 @@ issue and assign relevant users.
## Details
- Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the new PGP public key here -->
- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
- Sponsors: <!-- MODIFY: Add the @-prefixed usernames of the sponsors -->
- Application: <!-- MODIFY: Add link to application, if this is the key of a new packager, else remove -->
- Results: <!-- MODIFY: Add link to results of application, if this is the key of a new packager, else remove -->
- Previous Key: <!--
MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here
if another packager key exists already, else remove
-->
<!--
NOTE: Attach the above information as a clearsigned document to this ticket.
https://www.gnupg.org/gph/en/manual/x135.html
MODIFY: Attach the above information of the details section as a clearsigned
document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket.
If a previous (valid and trusted) packager key of the user exists, it needs to
be used for clearsigning the document.
If the key of a new packager is added, one of their sponsors needs to clearsign
the details section.
If this is the key of a new packager, one of their sponsors needs to do the
signature.
If this is a new key of an already existing packager, the packager themself
needs to do the signature.
* Select the above text, copy/paste it into a file (e.g. `details.txt`).
* Make sure to sign with the root certificate of the packager key (not any of
the subkeys!):
`gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
* Upload `details.txt` as attachment to this ticket.
-->
## Checks
### New key owner
### Owner of new key
- [ ] The [workflow for adding a new packager
key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key)
......@@ -45,24 +58,18 @@ needs to do the signature.
practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
- [ ] The data in the [Details](#details) section is attached to this issue as
a clearsigned document
- [ ] The public key has been uploaded to the SKS infrastructure
- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
- [ ] A merge request to add the new public key has been created
### Main key holders
- [ ] The public key has been validated according to the [best
practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
- [ ] The public key has been signed by all main key holders
- [ ] @allan
- [ ] @anthraxx
- [ ] @bluewind
- [ ] @dvzrv
- [ ] @grazzolini
- [ ] @pierre
### Keyring maintainer
- [ ] The public key contains one user ID with a valid
`<username>@archlinux.org` email address used for signing
- [ ] The public key has been validated according to the [best
practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
### Developers of the archlinux-keyring project
- [ ] The data in the [Details](#details) section is correct and signed with a
valid and trusted packager key, which is part of `pacman-key`
valid and trusted packager key, which is already part of `archlinux-keyring`
<!--
This template is used when an existing main PGP public key needs to be removed
from the distribution's keyring.
It is used by users with a valid main key.
It is used by users with a valid main key or the holder of the revocation
certificate of the main key that is about to be removed.
NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
in the "Check" section labeled as "Main key holders" need to be checked for the
accompanying merge request to be merged.
-->
/assign @allan @anthraxx @bluewind @dvzrv @pierre
/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
/label ~"remove main key"
/title Remove main key of <!-- MODIFY: Add main key holder's username -->
<!--
......@@ -16,7 +21,7 @@ issue and assign relevant users.
## Details
- Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MAIN KEY UID> | sed -n '2p' | tr -d ' '` here -->
- Resignation: <!-- MODIFY: Link to resignation of key holder -->
## Checks
......@@ -27,8 +32,6 @@ issue and assign relevant users.
removal of this key.
- [ ] All packagers have at least three valid main key signatures for their
packager key after removal of this key.
### Keyring maintainer
- [ ] The key has been revoked by either the revocation certificate holder or
the main key holder.
- [ ] A merge request to [remove the main public
key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key)
has been created
......@@ -2,8 +2,10 @@
This template is used when an existing packager PGP public key needs to be
removed from the distribution's keyring.
It is used by users with a valid main key or a valid packager key.
NOTE: All comment sections with a MODIFY note need to be edited.
-->
/assign @allan @anthraxx @bluewind @dvzrv @pierre
/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
/label ~"remove packager key"
/title Remove packager key of <!-- MODIFY: Add packager key holder's username -->
<!--
......@@ -16,20 +18,26 @@ issue and assign relevant users.
## Details
- Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <PACKAGER KEY UID> | sed -n '2p' | tr -d ' '` here -->
- Resignation: <!-- MODIFY: Link to resignation of key holder -->
## Checks
- [ ] There are no packages left in any of the official repositories, that are
signed by the key, that is about to be removed.
**NOTE**: The below check box **must be** checked before the main key holders
can start to revoke the key.
- [ ] There are [no packages left in any of the official
repositories](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key),
that are signed by the key or any of its subkeys, which is about to be
removed.
### Main key holders
- [ ] All main key holders have revoked their signature for the key and
published the result on the SKS infrastructure
- [ ] @allan
- [ ] @anthraxx
- [ ] @bluewind
- [ ] @dvzrv
- [ ] @pierre
All main key holders should revoke their signature(s) for the given key in a
merge request to this repository using `keyringctl`.
- [ ] @anthraxx
- [ ] @bluewind
- [ ] @dvzrv
- [ ] @grazzolini
- [ ] @pierre
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment