From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id cC8TEdYvlmKAEAAAbAwnHQ (envelope-from ) for ; Tue, 31 May 2022 17:10:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id mv0EENYvlmLyKgEAG6o9tA (envelope-from ) for ; Tue, 31 May 2022 17:10:14 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E02992FC42 for ; Tue, 31 May 2022 17:10:13 +0200 (CEST) Received: from localhost ([::1]:50284 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nw3Vc-0001KB-7m for larch@yhetil.org; Tue, 31 May 2022 11:10:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58290) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nw3V6-0001Jy-66 for guix-devel@gnu.org; Tue, 31 May 2022 11:09:40 -0400 Received: from cascadia.aikidev.net ([2600:3c01:e000:267:0:a171:de7:c]:54624) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nw3V2-0001n2-Rb; Tue, 31 May 2022 11:09:39 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:20]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 32F5D1AC6B; Tue, 31 May 2022 08:09:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org; s=1.vagrant.user; t=1654009766; bh=4nWprNGoBoKW+ASc8OYZGmuhrNKQMahJRul6469ofQY=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=a5VwOqNuVnztIrqti5UKX/CEuVaxNumX7+jTFhN5S3MzNN2stppyuR/HsBFFDaE+f RtVY8P0tPCerv177tX3w5WXx+/3oCueWdse8Welc+h6saZdP3jOGo+eaR/Ic5+Igih 7HViBdhssMx4FnLK/06ciSNEdk8/LeCKF+wUbjaQ+u0UIqxTXsAlV7CDCbcNMhanMv 1bzvIJe2j6mHQl5MUHTbmSDQLwEKT1w8uV+n/Rw1RdyF3+P4UC2kg/B0/MncAoYFPl SeQNS1uaM0xN54vukl5Szu6oIcawYGuQ6fluminWZtBq4/RpOSzUmkdkVgnjyE82UA kME3ltc+jxZXg== From: Vagrant Cascadian To: Ludovic =?utf-8?Q?Court=C3=A8s?= , Maxime Devos Cc: Tanguy LE CARROUR , guix-devel@gnu.org Subject: Re: Finding a =?utf-8?B?4oCcZ29vZOKAnQ==?= OpenPGP key server In-Reply-To: <87czfv2fvw.fsf@gnu.org> References: <164966505518.14431.3309259068866383863@localhost> <87tuaqw36n.fsf@gnu.org> <87czfv2fvw.fsf@gnu.org> Date: Tue, 31 May 2022 08:09:21 -0700 Message-ID: <878rqhd9i6.fsf@contorta> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=2600:3c01:e000:267:0:a171:de7:c; envelope-from=vagrant@debian.org; helo=cascadia.aikidev.net X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1654009813; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=YITDjAlSOnakc0g4n/nSRxL32feRFxuFO/9HDZMITbA=; b=QbFBBjX56Yl7frqUYTjh5Yw1uLCJgwRCQU0+D2lK3ZZNXtDwzLt0Lv7AF4PbhSWUO5JLkR P09b28yopdxBAnSSuO3JnaLAZZ9Vc21yQPehhyH2zaJ0AgBj5MFuzRgtMl3ihfMi4QktXq /EXwauQeorlvNpjb8bPi7ViT5XTzqLNRFweLCgSsOojt9vX3o65bIwkqAj7XmUDPVOfXmy t6pol89lQb1wERR5vcZeVb418S1xIDsfadKvcVNHPNu8nfohYOtNrwZyGTVEvTIHoRPp4i /uDT1ZHHgvvdEryBdEScGM9JEkjtYn566giJhY8lHhaC4qBsPuvF3m+nlXV4lw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1654009813; a=rsa-sha256; cv=none; b=kbDM2ymk7voYleCMpG+eILtAMyXNtIC3MgDx+BgzWQZn4akoZO0/xGH0hs5lySVAdqON2l /Rl6HfEYWij7Gg+2wIqoujYHzIf7g9agvg/6gnvZW0O62NGJcicR3s+m2n/eFqCEoV542+ owGLHk6fRcDCLs/zBQUHaUOWRnsp3l4wJzXMyiG02uW/lLlBrRCTzmgjwhYi22McGLWS+Z zqK2i02imkfZsZ245diFepN2xX4PC/YI4qV8aO3uwOWxSFI2iSbqPD95L1umpiK7gPwQR2 UBJOxEwAbC9UJjnAEATAgIcoRP4JTAYZ6uGkIRHYuvF6GRVDLjpmvIC/5fGDCQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=a5VwOqNu; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -10.94 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=a5VwOqNu; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: E02992FC42 X-Spam-Score: -10.94 X-Migadu-Scanner: scn0.migadu.com X-TUID: /9Hh9zVHFMAA --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2022-05-30, Ludovic Court=C3=A8s wrote: > Maxime Devos skribis: > >> Ludovic Court=C3=A8s schreef op ma 18-04-2022 om 22:24 [+0200]: >>> [... guix refresh -u stuff failing due to not finding the key ...] >>> I=E2=80=99m not sure what a good solution is (other than looking for th= e key >>> manually on Savannah or on some random key server). >> >> Alternatively, why use key servers at all? WDYT of something like >> >> (package >> (name "gnurl") >> [...] >> (properties >> ;; Keys that are considered =E2=80=98trustworthy=E2=80=99 for signin= g releases >> ;; of gnurl. >> `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...") >> ;; Locations of PGP key (possibly with some of them pointing to >> ;; the same key) >> (pgp-key-locations >> ,(savannah-pgp-key USER-ID) ... ; most signers are on savannah.g= nu.org >> ,(local-file "[...]/someone.pub") ; not easily available from th= e Web=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 >> "https://rando/key.pub" >> "ipfs://.../..." "gnunet://...")))) ; download key via P2P netwo= rks >> >> The first part (permitted-pgp-signing-keys) has been suggested previousl= y and >> seems mostly orthogonal, but the second part is new. It would reduce >> the dependency on central infrastructure. We could consider key servers >> to be =E2=80=98merely=E2=80=99 another fallback. > > We could also have our own key server. Just like =E2=80=98guix lint -c > archival=E2=80=99 triggers SWH archival, we could have a tool that trigge= rs key > download on the server so that crypto material never vanishes. Or keep some keyrings in a git repo, if we want to keep the keys somewhat restricted to committers... a major problem of the public keyserver network is/was the ability for anyone to update or add any key for anybody. We've already got the keyring branch in guix.git, maybe adding an upstream-keys branch wouldn't be madness? Or a separate git repository. And then you could get it archived at software heritage or archive.org or whatever trivially. live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYpYvogAKCRDcUY/If5cW qg9+AQCYG1pbu3nMqNTeIVkiTqFyzROnK9a1RQjptEuH+yZfegEA4B58LzdFw4lx XtQDT/8vePebMLKjUr2WeTlDHPydlgQ= =A8+X -----END PGP SIGNATURE----- --=-=-=--