Update issue templates

.gitlab/issue_templates/*: Replace allan with grazzolini when assigning tickets or when addressing main key holders. Streamline the checkbox system, by relying on less interaction from the main key holders side if possible (e.g. checks on new keys are done automatically in a merge request, so have contributors open the merge request). Add more documentation on what needs to be edited and how to provide data exactly (e.g. keyid format, clearsigned document).
2022-02-24 23:48:25 +01:00 · 2022-02-24 23:48:25 +01:00 · 6e23b78671
commit 6e23b78671
parent 845dba12d5
4 changed files with 84 additions and 54 deletions
--- a/.gitlab/issue_templates/New
+++ b/.gitlab/issue_templates/New
@ -2,8 +2,12 @@
 This template is used when a new main PGP public key needs to be added to the
 distribution's keyring.
 It is used by users with a valid packager key.
 NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
 in the "Checks" section labeled as "Owner of new key" need to be checked by the
 owner of the new key.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
 /label ~"new main key"
 /title New main key of <!-- MODIFY: Add new main key holder's username -->
 <!--
@ -16,18 +20,27 @@ issue and assign relevant users.
 ## Details
 - Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the new PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
 - Revocation Certificate Holder: <!-- MODIFY: Add the @-prefixed username of the revocation certificate holder -->
 <!--
-NOTE: Attach the above information as a clearsigned document to this ticket
+MODIFY: Attach the above information of the details section as a clearsigned
-using a valid packager key of the user.
+document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket
-https://www.gnupg.org/gph/en/manual/x135.html
+using a valid packager key of the user:
 * Select the above text, copy/paste it into a file (e.g. `details.txt`).
 * Make sure to sign with the root certificate of the packager key (not any of
  the subkeys!):
  `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
 * Upload `details.txt` as attachment to this ticket.
 -->
 ## Checks
-### New key owner
+**NOTE**: The below check boxes **must be** checked before the accompanying
 merge request to add the new main key can be merged.
 ### Owner of new key
 - [ ] The [workflow for adding a new main
  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key)
@ -38,18 +51,17 @@ https://www.gnupg.org/gph/en/manual/x135.html
  a clearsigned document
 - [ ] The revocation certificate has been sent in an encrypted message to the
  revocation certificate holder
- [ ] The public key has been uploaded to the SKS infrastructure
+- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
-
+- [ ] A merge request to add the new public key has been created
 ### Keyring maintainer
 - [ ] The key pair has been validated according to the [best
  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
 - [ ] The data in the [Details](#details) section is correct and signed with a
  valid and trusted packager key, which is part of `pacman-key`
 ### Revocation Certificate Holder
 - [ ] The revocation certificate has been [verified
  as working](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate)
  and confirmed in a comment to this issue
- [ ] The revocation certificate has been backed up in a dedicated encrypted backup storage
+- [ ] The revocation certificate has been backed up on a dedicated encrypted backup storage medium
 ### Main key holders
 - [ ] The data in the [Details](#details) section is correct and signed with a
  valid and trusted packager key, which is already part of `archlinux-keyring`
--- a/.gitlab/issue_templates/New
+++ b/.gitlab/issue_templates/New
@ -3,8 +3,12 @@ This template is used when a new packager PGP public key needs to be added to
 the distribution's keyring.
 It is either used by the sponsor of a new packager or by an existing packager
 when adding a new key for themself.
 NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
 in the "Checks" section labeled as "Owner of new key" need to be checked by the
 owner of the new key or by a sponsor of a new packager.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
 /label ~"new packager key"
 /title New packager key of <!-- MODIFY: Add new packager key holder's username -->
 <!--
@ -17,24 +21,33 @@ issue and assign relevant users.
 ## Details
 - Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the new PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
 - Sponsors: <!-- MODIFY: Add the @-prefixed usernames of the sponsors -->
 - Application: <!-- MODIFY: Add link to application, if this is the key of a new packager, else remove -->
 - Results: <!-- MODIFY: Add link to results of application, if this is the key of a new packager, else remove -->
 - Previous Key: <!--
  MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here
  if another packager key exists already, else remove
  -->
 <!--
-NOTE: Attach the above information as a clearsigned document to this ticket.
+MODIFY: Attach the above information of the details section as a clearsigned
-https://www.gnupg.org/gph/en/manual/x135.html
+document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket.
 If a previous (valid and trusted) packager key of the user exists, it needs to
 be used for clearsigning the document.
 If the key of a new packager is added, one of their sponsors needs to clearsign
 the details section.
-If this is the key of a new packager, one of their sponsors needs to do the
+* Select the above text, copy/paste it into a file (e.g. `details.txt`).
-signature.
+* Make sure to sign with the root certificate of the packager key (not any of
-If this is a new key of an already existing packager, the packager themself
+  the subkeys!):
-needs to do the signature.
+  `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
 * Upload `details.txt` as attachment to this ticket.
 -->
 ## Checks
-### New key owner
+### Owner of new key
 - [ ] The [workflow for adding a new packager
  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key)
@ -45,24 +58,18 @@ needs to do the signature.
  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
 - [ ] The data in the [Details](#details) section is attached to this issue as
  a clearsigned document
- [ ] The public key has been uploaded to the SKS infrastructure
+- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
 - [ ] A merge request to add the new public key has been created
 ### Main key holders
 - [ ] The public key has been validated according to the [best
  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
 - [ ] The public key has been signed by all main key holders
  - [ ] @allan
  - [ ] @anthraxx
  - [ ] @bluewind
  - [ ] @dvzrv
  - [ ] @grazzolini
  - [ ] @pierre
-### Keyring maintainer
+### Developers of the archlinux-keyring project
 - [ ] The public key contains one user ID with a valid
  `<username>@archlinux.org` email address used for signing
 - [ ] The public key has been validated according to the [best
  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
 - [ ] The data in the [Details](#details) section is correct and signed with a
-  valid and trusted packager key, which is part of `pacman-key`
+  valid and trusted packager key, which is already part of `archlinux-keyring`
--- a/.gitlab/issue_templates/Remove
+++ b/.gitlab/issue_templates/Remove
@ -1,9 +1,14 @@
 <!--
 This template is used when an existing main PGP public key needs to be removed
 from the distribution's keyring.
-It is used by users with a valid main key.
+It is used by users with a valid main key or the holder of the revocation
 certificate of the main key that is about to be removed.
 NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
 in the "Check" section labeled as "Main key holders" need to be checked for the
 accompanying merge request to be merged.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
 /label ~"remove main key"
 /title Remove main key of <!-- MODIFY: Add main key holder's username -->
 <!--
@ -16,7 +21,7 @@ issue and assign relevant users.
 ## Details
 - Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MAIN KEY UID> | sed -n '2p' | tr -d ' '` here -->
 - Resignation: <!-- MODIFY: Link to resignation of key holder -->
 ## Checks
@ -27,8 +32,6 @@ issue and assign relevant users.
  removal of this key.
 - [ ] All packagers have at least three valid main key signatures for their
  packager key after removal of this key.
-
+- [ ] A merge request to [remove the main public
-### Keyring maintainer
+  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key)
-
+  has been created
 - [ ] The key has been revoked by either the revocation certificate holder or
  the main key holder.
--- a/.gitlab/issue_templates/Remove
+++ b/.gitlab/issue_templates/Remove
@ -2,8 +2,10 @@
 This template is used when an existing packager PGP public key needs to be
 removed from the distribution's keyring.
 It is used by users with a valid main key or a valid packager key.
 NOTE: All comment sections with a MODIFY note need to be edited.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
 /label ~"remove packager key"
 /title Remove packager key of <!-- MODIFY: Add packager key holder's username -->
 <!--
@ -16,20 +18,26 @@ issue and assign relevant users.
 ## Details
 - Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <PACKAGER KEY UID> | sed -n '2p' | tr -d ' '` here -->
 - Resignation: <!-- MODIFY: Link to resignation of key holder -->
 ## Checks
- [ ] There are no packages left in any of the official repositories, that are
+**NOTE**: The below check box **must be** checked before the main key holders
-  signed by the key, that is about to be removed.
+can start to revoke the key.
 - [ ] There are [no packages left in any of the official
  repositories](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key),
  that are signed by the key or any of its subkeys, which is about to be
  removed.
 ### Main key holders
- [ ] All main key holders have revoked their signature for the key and
+All main key holders should revoke their signature(s) for the given key in a
-  published the result on the SKS infrastructure
+merge request to this repository using `keyringctl`.
-  - [ ] @allan
+
 - [ ] @anthraxx
 - [ ] @bluewind
 - [ ] @dvzrv
 - [ ] @grazzolini
 - [ ] @pierre