From: "Ludovic Courtès" <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: Tanguy LE CARROUR <tanguy@bioneland.org>, guix-devel@gnu.org
Subject: Re: Finding a “good” OpenPGP key server
Date: Wed, 01 Jun 2022 18:31:19 +0200 [thread overview]
Message-ID: <87leuguyzs.fsf@gnu.org> (raw)
In-Reply-To: <7a2b453ae575934417f209b018ad96227cf68266.camel@telenet.be> (Maxime Devos's message of "Tue, 31 May 2022 10:44:08 +0200")
Maxime Devos <maximedevos@telenet.be> skribis:
> Ludovic Courtès schreef op ma 30-05-2022 om 17:34 [+0200]:
[...]
>> We could also have our own key server. Just like ‘guix lint -c
>> archival’ triggers SWH archival, we could have a tool that triggers
>> key download on the server so that crypto material never vanishes.
>
> Is archival important here though? If the crypto material vanishes,
> presumably that means the corresponding author stopped updating the
> source code, so it won't be useful anymore (except for after-the-fact
> verification?).
If you want to be able to authenticate software, even after the fact,
then key material needs to be available (that’s why the commit
authentication framework lets you store keys in the repo).
> What benefit would a Guix key server bring us?
It would allow us to archive signing keys of all the software packages
ever added to Guix.
I can picture a new ambitious project that we could call:
OpenPGP Key Heritage.
> I guess my suggestion is to skip any intermediate infrastructure and
> let the Guix repo itself be the key ‘server’ (when using local-file
> (*)) or download directly from the site where the key is located.
>
> (*) if space is concern, there are some GPG options that can be used
> for stripping out the photo ids and the various signatures by other
> people and keep only the bits actually required by Guix.
Let’s assume 10K packages are signed, and that the signing key changes
once per year. After 5 years, we’d have accumulated 50K OpenPGP
certificates in the repo. Even if they are stripped (no user ID, no
photo, etc.), that’s still non-negligible.
So yes, I’d rather have it out-of-band. :-)
Ludo’.
next prev parent reply other threads:[~2022-06-01 16:31 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-11 8:17 Error updating gnurl Tanguy LE CARROUR
2022-04-18 20:24 ` Finding a “good” OpenPGP key server Ludovic Courtès
2022-04-21 17:15 ` Tanguy LE CARROUR
2022-04-28 7:35 ` Ludovic Courtès
2022-04-29 19:11 ` Philip McGrath
2022-05-02 7:21 ` Tanguy LE CARROUR
2022-05-23 14:43 ` Ludovic Courtès
2022-05-23 16:19 ` Maxime Devos
2022-05-30 15:34 ` Ludovic Courtès
2022-05-31 7:55 ` Tanguy LE CARROUR
2022-05-31 8:44 ` Maxime Devos
2022-06-01 16:31 ` Ludovic Courtès [this message]
2022-05-31 15:09 ` Vagrant Cascadian
2022-05-31 17:44 ` zimoun
2022-06-01 16:32 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87leuguyzs.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=maximedevos@telenet.be \
--cc=tanguy@bioneland.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).