On 2022-05-30, Ludovic Courtès wrote: > Maxime Devos skribis: > >> Ludovic Courtès schreef op ma 18-04-2022 om 22:24 [+0200]: >>> [... guix refresh -u stuff failing due to not finding the key ...] >>> I’m not sure what a good solution is (other than looking for the key >>> manually on Savannah or on some random key server). >> >> Alternatively, why use key servers at all? WDYT of something like >> >> (package >> (name "gnurl") >> [...] >> (properties >> ;; Keys that are considered ‘trustworthy’ for signing releases >> ;; of gnurl. >> `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...") >> ;; Locations of PGP key (possibly with some of them pointing to >> ;; the same key) >> (pgp-key-locations >> ,(savannah-pgp-key USER-ID) ... ; most signers are on savannah.gnu.org >> ,(local-file "[...]/someone.pub") ; not easily available from the Web >> "https://rando/key.pub" >> "ipfs://.../..." "gnunet://...")))) ; download key via P2P networks >> >> The first part (permitted-pgp-signing-keys) has been suggested previously and >> seems mostly orthogonal, but the second part is new. It would reduce >> the dependency on central infrastructure. We could consider key servers >> to be ‘merely’ another fallback. > > We could also have our own key server. Just like ‘guix lint -c > archival’ triggers SWH archival, we could have a tool that triggers key > download on the server so that crypto material never vanishes. Or keep some keyrings in a git repo, if we want to keep the keys somewhat restricted to committers... a major problem of the public keyserver network is/was the ability for anyone to update or add any key for anybody. We've already got the keyring branch in guix.git, maybe adding an upstream-keys branch wouldn't be madness? Or a separate git repository. And then you could get it archived at software heritage or archive.org or whatever trivially. live well, vagrant