From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id CNf2OIfWlWJe2wAAbAwnHQ (envelope-from ) for ; Tue, 31 May 2022 10:49:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id ODQBOIfWlWIToAAAG6o9tA (envelope-from ) for ; Tue, 31 May 2022 10:49:11 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 873C6DA74 for ; Tue, 31 May 2022 10:49:11 +0200 (CEST) Received: from localhost ([::1]:46996 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nvxYs-00050R-Lu for larch@yhetil.org; Tue, 31 May 2022 04:49:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41326) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nvxUC-0003ut-6M for guix-devel@gnu.org; Tue, 31 May 2022 04:44:21 -0400 Received: from andre.telenet-ops.be ([2a02:1800:120:4::f00:15]:39790) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nvxU9-0000kw-Vb for guix-devel@gnu.org; Tue, 31 May 2022 04:44:19 -0400 Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a]) by andre.telenet-ops.be with bizsmtp id dLk92700G4UW6Th01Lk9b0; Tue, 31 May 2022 10:44:09 +0200 Message-ID: <7a2b453ae575934417f209b018ad96227cf68266.camel@telenet.be> Subject: Re: Finding a =?UTF-8?Q?=E2=80=9Cgood=E2=80=9D?= OpenPGP key server From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Cc: Tanguy LE CARROUR , guix-devel@gnu.org Date: Tue, 31 May 2022 10:44:08 +0200 In-Reply-To: <87czfv2fvw.fsf@gnu.org> References: <164966505518.14431.3309259068866383863@localhost> <87tuaqw36n.fsf@gnu.org> <87czfv2fvw.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-A7h8fKYzdjJC9gsD7CRV" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1653986649; bh=mmuBW1kX+RfzJurDBUsxNj4B3j2TacodZbhQ7ue9WrI=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=nijGXaIVe0pHl0XMyP0ZuTkdzYIZHIRQkItJO6kx//Txq0Ux7EO6wU/GLu/UN7t0K yA3cSelrr2R8GmhO/lc45G5Uph2DAC0tGmM4PEKiHYmxxSuf6KWpt8dWbBcORW0EZZ 7/O9mGmtoLRwSlmV9am1ytVqoMz8KZDOI2w9av/RYDGuYqIKyxBVMDp9Fo3EMiJq49 J9aWLDinPnJ1d6z1P6qefPSgWqEv1+V4so3/pNXke+/O9yvWqax0wBdohcWIupuX4/ VEDmyzzDhDlehUzAEv+ZNSBhtkqC1OQ0oksTLovBmDxi0v092zjBrUmLJc571YPlrw HWzMqm4YA9hIg== Received-SPF: pass client-ip=2a02:1800:120:4::f00:15; envelope-from=maximedevos@telenet.be; helo=andre.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1653986951; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=mmuBW1kX+RfzJurDBUsxNj4B3j2TacodZbhQ7ue9WrI=; b=XdsMXFxUqXJtBHMVk3FgsAxbct/UMx/WqOdFf8GXoMgY6iOAgBNlfQniGw+Smqz/RT7KzX Jk0O+FpvQzpYhGxykHPXxJhFbfS1tABCwGbN04c97jjiMe7I4poP4dNH24dBgNOA88ECoK RxSPe2WnteCMRwob2nrYmXtU5jGJikgZOCFhDuGDw9NT6DqrHgU3T7c1LybL+stqGB0hRP 7It9oIdjfVrUEPfKs32/t7SvZFc5Ekv65eQBPNMxGfXs5bh3I8QgzlUAS3HTmnEtVlClAr SjzDdW+TUxHUzEU2QrJ0fIbej1PSZp4jkEFufF+FvQJ4Y1JFiJaaT015oWaiVQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1653986951; a=rsa-sha256; cv=none; b=BYZ5P3y5i3s5thbID3uiXu2Dhci8ZDuvMU7Iu01urzyl79V3fQ2pesQVxad9sem7d9MLiw OrL77Pb94ISIGfVnxLrildEVu00GbWnC+00sO+KV6wajRIYmg6YLqCmAffpAEo8FpFgJ0Z ++eWdszuU37WUWEg+nkFl9Lc4LMgHRteNDdZL05ZpWRrxvDaPM9PE7RBNPIFkvb7y4Bb7e lUk4yMl0likXsUr23iAUN4dAu0DEMCVtNVcfJhbMGVkrYZtCInofJgAyocze6KJYU5n16M AMhhOU+ZsPZ6P1ITNuxQ8xQfGwwqDCmExvJMaP36tGUL4dBKOW7/a+9NMEuWmg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r22 header.b=nijGXaIV; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -6.23 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r22 header.b=nijGXaIV; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 873C6DA74 X-Spam-Score: -6.23 X-Migadu-Scanner: scn1.migadu.com X-TUID: lE2QhIXzaIyI --=-A7h8fKYzdjJC9gsD7CRV Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s schreef op ma 30-05-2022 om 17:34 [+0200]: > > (package > > =C2=A0=C2=A0 (name "gnurl") > > =C2=A0=C2=A0 [...] > > =C2=A0=C2=A0 (properties > > =C2=A0=C2=A0=C2=A0=C2=A0 ;; Keys that are considered =E2=80=98trustwort= hy=E2=80=99 for signing releases > > =C2=A0=C2=A0=C2=A0=C2=A0 ;; of gnurl. > > =C2=A0=C2=A0=C2=A0=C2=A0 `((permitted-pgp-signing-keys "CABB A99E ..." = "DEAD BEEF ...") > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ;; Locations of PGP key (possibly = with some of them pointing > > to > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ;; the same key) > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (pgp-key-locations > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ,(savannah-pgp-key USE= R-ID) ... ; most signers are on > > savannah.gnu.org > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ,(local-file "[...]/so= meone.pub") ; not easily available > > from the Web=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=20 > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "https://rando/key.pub= " > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "ipfs://.../..." "gnun= et://...")))) ; download key via P2P > > networks > >=20 > > The first part (permitted-pgp-signing-keys) has been suggested > > previously and > > seems mostly orthogonal, but the second part is new.=C2=A0 It would > > reduce > > the dependency on central infrastructure.=C2=A0 We could consider key > > servers > > to be =E2=80=98merely=E2=80=99 another fallback. >=20 > We could also have our own key server.=C2=A0 Just like =E2=80=98guix lint= -c > archival=E2=80=99 triggers SWH archival, we could have a tool that trigge= rs > key download on the server so that crypto material never vanishes. Is archival important here though? If the crypto material vanishes, presumably that means the corresponding author stopped updating the source code, so it won't be useful anymore (except for after-the-fact verification?). What benefit would a Guix key server bring us? I guess my suggestion is to skip any intermediate infrastructure and let the Guix repo itself be the key =E2=80=98server=E2=80=99 (when using lo= cal-file (*)) or download directly from the site where the key is located. (*) if space is concern, there are some GPG options that can be used for stripping out the photo ids and the various signatures by other people and keep only the bits actually required by Guix. Greetings, Maxime. --=-A7h8fKYzdjJC9gsD7CRV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYpXVWBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hjTAP9oKzROzKpSR2gO5dRnIZXuo3Mq yP1wjsloRzRRzuPt6wD9EaFLFj7NkHV2+5wFydpTTupw+YzE0w3IZf6yraXqMwI= =eBcL -----END PGP SIGNATURE----- --=-A7h8fKYzdjJC9gsD7CRV--