[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Finding a “good” OpenPGP key server
From: |
Vagrant Cascadian |
Subject: |
Re: Finding a “good” OpenPGP key server |
Date: |
Tue, 31 May 2022 08:09:21 -0700 |
On 2022-05-30, Ludovic Courtès wrote:
> Maxime Devos <maximedevos@telenet.be> skribis:
>
>> Ludovic Courtès schreef op ma 18-04-2022 om 22:24 [+0200]:
>>> [... guix refresh -u stuff failing due to not finding the key ...]
>>> I’m not sure what a good solution is (other than looking for the key
>>> manually on Savannah or on some random key server).
>>
>> Alternatively, why use key servers at all? WDYT of something like
>>
>> (package
>> (name "gnurl")
>> [...]
>> (properties
>> ;; Keys that are considered ‘trustworthy’ for signing releases
>> ;; of gnurl.
>> `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...")
>> ;; Locations of PGP key (possibly with some of them pointing to
>> ;; the same key)
>> (pgp-key-locations
>> ,(savannah-pgp-key USER-ID) ... ; most signers are on
>> savannah.gnu.org
>> ,(local-file "[...]/someone.pub") ; not easily available from the
>> Web
>> "https://rando/key.pub"
>> "ipfs://.../..." "gnunet://...")))) ; download key via P2P networks
>>
>> The first part (permitted-pgp-signing-keys) has been suggested previously and
>> seems mostly orthogonal, but the second part is new. It would reduce
>> the dependency on central infrastructure. We could consider key servers
>> to be ‘merely’ another fallback.
>
> We could also have our own key server. Just like ‘guix lint -c
> archival’ triggers SWH archival, we could have a tool that triggers key
> download on the server so that crypto material never vanishes.
Or keep some keyrings in a git repo, if we want to keep the keys
somewhat restricted to committers... a major problem of the public
keyserver network is/was the ability for anyone to update or add any key
for anybody.
We've already got the keyring branch in guix.git, maybe adding an
upstream-keys branch wouldn't be madness? Or a separate git
repository. And then you could get it archived at software heritage or
archive.org or whatever trivially.
live well,
vagrant
signature.asc
Description: PGP signature