[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Finding a “good” OpenPGP key server
From: |
Tanguy LE CARROUR |
Subject: |
Re: Finding a “good” OpenPGP key server |
Date: |
Tue, 31 May 2022 09:55:57 +0200 |
User-agent: |
alot/0.10 |
Hi Ludo’,
Quoting Ludovic Courtès (2022-05-30 17:34:43)
> Maxime Devos <maximedevos@telenet.be> skribis:
>
> > Ludovic Courtès schreef op ma 18-04-2022 om 22:24 [+0200]:
> >> [... guix refresh -u stuff failing due to not finding the key ...]
> >> I’m not sure what a good solution is (other than looking for the key
> >> manually on Savannah or on some random key server).
> >
> > Alternatively, why use key servers at all? WDYT of something like
> >
> > (package
> > (name "gnurl")
> > [...]
> > (properties
> > ;; Keys that are considered ‘trustworthy’ for signing releases
> > ;; of gnurl.
> > `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...")
> > ;; Locations of PGP key (possibly with some of them pointing to
> > ;; the same key)
> > (pgp-key-locations
> > ,(savannah-pgp-key USER-ID) ... ; most signers are on
> > savannah.gnu.org
> > ,(local-file "[...]/someone.pub") ; not easily available from the
> > Web
> > "https://rando/key.pub"
> > "ipfs://.../..." "gnunet://...")))) ; download key via P2P networks
> >
> > The first part (permitted-pgp-signing-keys) has been suggested previously
> > and
> > seems mostly orthogonal, but the second part is new. It would reduce
> > the dependency on central infrastructure. We could consider key servers
> > to be ‘merely’ another fallback.
>
> We could also have our own key server. Just like ‘guix lint -c
> archival’ triggers SWH archival, we could have a tool that triggers key
> download on the server so that crypto material never vanishes.
That would be a solution, I guess. But what would be the cost of setting
it up and maintaining it?
Is gnurl the only package with this problem or is it something that happens
often?!
Regards,
--
Tanguy