contrib: remove builder keys #26598

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:drop_non_guix_keys changing 5 files +1 −96
  1. fanquake commented at 12:19 pm on November 29, 2022: member

    This has been superseded by adding a builder-keys/ directory in guix.sigs, where the presence of keys, and validity of signatures is checked. Preventing issues like missing keys or invalid signatures.

    New (or exisiting) Guix builders can add their key in the next PR they open adding attestations.

    Related to issues like #26566, #26563.

    Also follows up with the comment here: #26565 (comment).

  2. fanquake added the label Scripts and tools on Nov 29, 2022
  3. DrahtBot commented at 12:19 pm on November 29, 2022: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK hebasto
    Ignored review MarcoFalke

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #26815 (builder-keys: remove luke-jr by zpv)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  4. maflcko removed the label Scripts and tools on Nov 29, 2022
  5. DrahtBot added the label Scripts and tools on Nov 29, 2022
  6. maflcko approved
  7. maflcko commented at 12:26 pm on November 29, 2022: member
    ACK
  8. fanquake force-pushed on Nov 29, 2022
  9. fanquake commented at 1:45 pm on November 29, 2022: member
    Pushed to add svanstaa (670BC460DC8BF5EEF1C3BC74B14CC9F833238F85), which has just been uploaded to keyservers: https://github.com/bitcoin-core/guix.sigs/pull/463#issuecomment-1330658995.
  10. fanquake force-pushed on Nov 29, 2022
  11. fanquake commented at 1:52 pm on November 29, 2022: member
    The key for kvaciral is here: https://github.com/Kvaciral/kvaciral. So I’ve included that as well.
  12. in contrib/builder-keys/keys.txt:27 in 1cf6b9d6c2 outdated 
    54 133EAC179436F14A5CF1B794860FEB804E669320 Pieter Wuille (sipa)
55+2F78ACF677029767C8736F13747A7AE2FB0FD25B satsie (satsie)
56 6A8F9C266528E25AEB1D7731C2371D91CB716EA7 Sebastian Falbesoner (theStack)
57-A8FC55F3B04BA3146F3492E79303B33A305224CB Sebastian Kung (TheCharlatan)
58 ED9BDF7AD6A55E232E84524257FF9BDBCC301009 Sjors Provoost (sjors)
59+4DAF18FE948E7A965B30F9457E296D555E7F63A7 Sjors Provoost (sjors)
    Sjors commented at 2:20 pm on November 29, 2022:
    I used this key once (?) by mistake. Though I guess there’s no harm in adding it.
  13. in contrib/builder-keys/keys.txt:23 in 1cf6b9d6c2 outdated 
    48-C57E4B42223FDE851D4F69DD28DF2724F241D8EE midnightmagic (midnightmagic)
49+2CBBF208E594BF439B5F276C7465CFFF6793242E Niklas Gögge (dergoegge)
50 F4FC70F07310028424EFC20A8E4256593F177720 Oliver Gugger (guggero, Oliver Gugger)
51-D62A803E27E7F43486035ADBBCD04D8E9CCCAC2A Paul Rabahy (prab)
52-37EC7D7B0A217CDB4B4E007E7FAB114267E4FA04 Peter Todd (petertodd)
53 D762373D24904A3E42F33B08B9A408E71DAAC974 Pieter Wuille [Location: Leuven, Belgium] (sipa)
    maflcko commented at 2:21 pm on November 29, 2022:
    This expired long before guix was a thing, so should be removed, no?
    fanquake commented at 2:39 pm on November 29, 2022:
    Yep, dropped.
  14. Sjors commented at 2:26 pm on November 29, 2022: member
    The “gitian era” isn’t that long ago. Maybe keep the keys of people who made recent commits or other contributions? In any case, if they’re added back later, we should remember to check this commit to see if it’s a key we know or a new one.
  15. maflcko commented at 2:28 pm on November 29, 2022: member

    According to the readme:

    Add your key to the list if you provided Guix attestations for two major or minor releases of Bitcoin Core.

    So I am wondering if we should add keys for one-off signatures here?

  16. fanquake commented at 2:33 pm on November 29, 2022: member

    So I am wondering if we should add keys for one-off signatures here?

    I’m not sure. If we don’t have the keys, people will just complain they are missing. Historically, people don’t seem to be good at adding their own keys here either. We also don’t want to be running a faux keyserver.

  17. Sjors commented at 2:35 pm on November 29, 2022: member

    So I am wondering if we should add keys for one-off signatures here?

    I would keep them if they’re already here. If we want to lower the threshold for adding them (or even add them “non interactively”), that seems like a separate issue.

  18. fanquake force-pushed on Nov 29, 2022
  19. maflcko commented at 3:08 pm on November 29, 2022: member

    I’m not sure. If we don’t have the keys, people will just complain they are missing. Historically, people don’t seem to be good at adding their own keys here either. We also don’t want to be running a faux keyserver.

    Well, if you think it is important to always list all keys, then your are running a keyserver (sort of). It will never be possible to have all keys at all times be listed, non-revoked and non-expired. So attempting that shouldn’t be a goal.

    However, I wonder if this whole file can be removed and be replaced by having the full keys in the attestations repo, see also https://github.com/bitcoin-core/guix.sigs/issues/133 .

  20. Sjors commented at 3:18 pm on November 29, 2022: member

    There’s (probably) not as much scrutiny on the guix.sigs repo as on this one, so at minimum we should keep (some) key ids here. For someone who has no developers inside their web of trust, the list here is a nice place to start.

    If someone downloads the binary along with source code (e.g. via the Torrent), then they’ll have this file, but not the guix.sigs repo. (that said, verify-binaries currently isn’t designed to check files you already downloaded, but it could…)

  21. maflcko commented at 11:22 am on November 30, 2022: member

    There’s (probably) not as much scrutiny on the guix.sigs repo as on this one

    This pull request is adding key fingerprints because they happened to be used once to sign and also happened to be on the internet somewhere. I don’t think this is any different from just doing https://github.com/bitcoin-core/guix.sigs/issues/133

  22. vertiond commented at 9:30 pm on December 4, 2022: none
    My github username is vertiond. Could you adjust my name in parentheses to vertion (vertiond)?
  23. fanquake force-pushed on Dec 5, 2022
  24. fanquake commented at 9:41 am on December 5, 2022: member

    Could you adjust my name in parentheses to vertion (vertiond)?

    Thanks. Have updated. Will close 26634 now as well.

  25. luke-jr commented at 10:05 am on December 5, 2022: member
    Seems like we should ping @schildbach @btcdrak @theuni @droark @cisba @fivepiece @Fuzzbawls @jhfrontz @jl2012 @jtimon @kallewoof @kristapsk @niftynei @MarcoFalke @TheBlueMatt @meshcollider @miketwenty1 @Michagogo @midnightmagic @petertodd @TheCharlatan @wtogami @willyko to see if any of them have interest in doing Guix builds.
  26. TheCharlatan commented at 10:33 am on December 5, 2022: contributor

    Seems like we should ping … to see if any of them have interest in doing Guix builds.

    Yes, I’ll contribute some.

  27. droark commented at 4:52 pm on December 5, 2022: contributor
    Hi! Thanks for the reminder. Been meaning to get that going. I’ll do it sometime this week.
  28. jhfrontz commented at 6:17 pm on December 7, 2022: contributor

    Hi! Thanks for the reminder. Been meaning to get that going. I’ll do it sometime this week.

    Ditto.

  29. willyko commented at 5:54 pm on December 9, 2022: contributor
    Thanks for the ping. Just did a guix build & attestations for 24.0.1
  30. kallewoof commented at 11:55 pm on December 10, 2022: member
    Interest: yes, time: limited. If my speedy participation is required, you may remove my key.
  31. miketwenty1 commented at 0:10 am on December 11, 2022: contributor
    @luke-jr thanks for the ping. I will be interested in participating over on bitcoin-core/guix.sigs repo early next year on future builds. Seems that this is now easy enough for a caveman to do it.. count me in.
  32. petertodd commented at 7:33 pm on December 11, 2022: contributor
    Feel free to remove mine. If I do a guix build I need to update my key anyway.
  34. maflcko commented at 2:11 pm on December 16, 2022: member
    Alternative in https://github.com/bitcoin-core/guix.sigs/pull/535
  35. fanquake force-pushed on Dec 19, 2022
  36. fanquake commented at 5:11 pm on December 19, 2022: member
    Now that we have https://github.com/bitcoin-core/guix.sigs/pull/535, I’ve changed the approach here.
  37. maflcko commented at 5:20 pm on December 19, 2022: member
    ACK 1b1a5bea7ddefa3a386733bef9a613013de5fbc7
  38. contrib: remove builder keys 
    This has been superseded by adding a builder-keys/ directory in
guix.sigs, where the presence of keys, and validity of signatures
is checked. Preventing issues like missing keys or invalid signatures.

New (or exisiting) Guix builders can add their key in the next PR
they open adding attestations.
    e6864fa157
  39. fanquake force-pushed on Dec 19, 2022
  40. hebasto approved
  41. hebasto commented at 8:07 am on December 20, 2022: member
    ACK e6864fa157d75d8ae2b2f56620b019bde2355a24, modulo s/update/remove/ in the PR tittle.
  42. fanquake renamed this:
    contrib: update builder keys
    contrib: remove builder keys
    on Dec 20, 2022
  43. maflcko referenced this in commit 296e882250 on Jan 5, 2023
  44. DrahtBot added the label Needs rebase on Jan 5, 2023
  45. DrahtBot commented at 8:42 am on January 5, 2023: contributor

    🐙 This pull request conflicts with the target branch and needs rebase.

  46. maflcko closed this on Jan 5, 2023
  47. fanquake deleted the branch on Jan 5, 2023
  48. sidhujag referenced this in commit 7ea333b37d on Jan 5, 2023
  49. twofaktor referenced this in commit 4d03e98702 on Jan 6, 2023
  50. bitcoin locked this on Jan 5, 2024


fanquake DrahtBot maflcko Sjors vertiond luke-jr TheCharlatan droark jhfrontz willyko kallewoof miketwenty1 petertodd cisba hebasto

Labels
Scripts and tools Needs rebase

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-21 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me