[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Finding a “good” OpenPGP key server
From: |
Ludovic Courtès |
Subject: |
Re: Finding a “good” OpenPGP key server |
Date: |
Mon, 30 May 2022 17:34:43 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) |
Maxime Devos <maximedevos@telenet.be> skribis:
> Ludovic Courtès schreef op ma 18-04-2022 om 22:24 [+0200]:
>> [... guix refresh -u stuff failing due to not finding the key ...]
>> I’m not sure what a good solution is (other than looking for the key
>> manually on Savannah or on some random key server).
>
> Alternatively, why use key servers at all? WDYT of something like
>
> (package
> (name "gnurl")
> [...]
> (properties
> ;; Keys that are considered ‘trustworthy’ for signing releases
> ;; of gnurl.
> `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...")
> ;; Locations of PGP key (possibly with some of them pointing to
> ;; the same key)
> (pgp-key-locations
> ,(savannah-pgp-key USER-ID) ... ; most signers are on savannah.gnu.org
> ,(local-file "[...]/someone.pub") ; not easily available from the Web
>
> "https://rando/key.pub"
> "ipfs://.../..." "gnunet://...")))) ; download key via P2P networks
>
> The first part (permitted-pgp-signing-keys) has been suggested previously and
> seems mostly orthogonal, but the second part is new. It would reduce
> the dependency on central infrastructure. We could consider key servers
> to be ‘merely’ another fallback.
We could also have our own key server. Just like ‘guix lint -c
archival’ triggers SWH archival, we could have a tool that triggers key
download on the server so that crypto material never vanishes.
Food for thought…
Ludo’.