Re: Finding a “good” OpenPGP key server

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Finding a “good” OpenPGP key server

From:	Vagrant Cascadian
Subject:	Re: Finding a “good” OpenPGP key server
Date:	Tue, 31 May 2022 08:09:21 -0700

On 2022-05-30, Ludovic Courtès wrote:
> Maxime Devos <maximedevos@telenet.be> skribis:
>
>> Ludovic Courtès schreef op ma 18-04-2022 om 22:24 [+0200]:
>>> [... guix refresh -u stuff failing due to not finding the key ...]
>>> I’m not sure what a good solution is (other than looking for the key
>>> manually on Savannah or on some random key server).
>>
>> Alternatively, why use key servers at all?  WDYT of something like
>>
>> (package
>>   (name "gnurl")
>>   [...]
>>   (properties
>>     ;; Keys that are considered ‘trustworthy’ for signing releases
>>     ;; of gnurl.
>>     `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...")
>>       ;; Locations of PGP key (possibly with some of them pointing to
>>       ;; the same key)
>>       (pgp-key-locations
>>         ,(savannah-pgp-key USER-ID) ... ; most signers are on 
>> savannah.gnu.org
>>         ,(local-file "[...]/someone.pub") ; not easily available from the 
>> Web               
>>         "https://rando/key.pub";
>>         "ipfs://.../..." "gnunet://...")))) ; download key via P2P networks
>>
>> The first part (permitted-pgp-signing-keys) has been suggested previously and
>> seems mostly orthogonal, but the second part is new.  It would reduce
>> the dependency on central infrastructure.  We could consider key servers
>> to be ‘merely’ another fallback.
>
> We could also have our own key server.  Just like ‘guix lint -c
> archival’ triggers SWH archival, we could have a tool that triggers key
> download on the server so that crypto material never vanishes.

Or keep some keyrings in a git repo, if we want to keep the keys
somewhat restricted to committers... a major problem of the public
keyserver network is/was the ability for anyone to update or add any key
for anybody.

We've already got the keyring branch in guix.git, maybe adding an
upstream-keys branch wouldn't be madness? Or a separate git
repository. And then you could get it archived at software heritage or
archive.org or whatever trivially.


live well,
  vagrant

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Finding a “good” OpenPGP key server, Tanguy LE CARROUR, 2022/05/02
- Re: Finding a “good” OpenPGP key server, Ludovic Courtès, 2022/05/23
- Re: Finding a “good” OpenPGP key server, Maxime Devos, 2022/05/23
  - Re: Finding a “good” OpenPGP key server, Ludovic Courtès, 2022/05/30
    - Re: Finding a “good” OpenPGP key server, Tanguy LE CARROUR, 2022/05/31
    - Re: Finding a “good” OpenPGP key server, Maxime Devos, 2022/05/31
    - Re: Finding a “good” OpenPGP key server, Vagrant Cascadian <=
    - Re: Finding a “good” OpenPGP key server, zimoun, 2022/05/31

Prev by Date: Re: antioxidant-build-system can be tested as a channel, + GTK app 'castor' builds
Next by Date: Re: antioxidant-build-system can be tested as a channel, + > GTK app 'castor' builds
Previous by thread: Re: Finding a “good” OpenPGP key server
Next by thread: Re: Finding a “good” OpenPGP key server
Index(es):
- Date
- Thread