From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id IILRNmeUl2I2OAEAbAwnHQ (envelope-from ) for ; Wed, 01 Jun 2022 18:31:36 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id WGznNWeUl2J0twAAG6o9tA (envelope-from ) for ; Wed, 01 Jun 2022 18:31:35 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A24C13DE74 for ; Wed, 1 Jun 2022 18:31:35 +0200 (CEST) Received: from localhost ([::1]:45606 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nwRFu-0004H6-QM for larch@yhetil.org; Wed, 01 Jun 2022 12:31:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59984) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nwRFj-0004Gj-N4 for guix-devel@gnu.org; Wed, 01 Jun 2022 12:31:23 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:38664) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nwRFi-0007bD-6h; Wed, 01 Jun 2022 12:31:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=YCpa0v907QKcOBxwCvX6NDhRJbc7svN4LUHotG+mjtg=; b=i6F+sT33Q5fyoeSPqKzV /DFQZgxIaTc4RlepVBvk/GeOZVyA1DGJMPOo8BO5mbIAn0djEs/HMve8wrdpfDD9rI4DfgH+4nsYx JedXFer4XwEsFcASXKjAzma6XbcAzHVuk83R6Byr8eyoArEvXSYfsmhw3dB3r3botVrTRfcOONKR3 OSAs+C1P3LT1uftQTgikphPwdhsXbUYnIpPOChKya2BJn+V4wK38z2LVOIQyTBpxL+kQS3R6TmgEk kwNzz6F/TwEiAM8FR/KQa3R4V+zetq//IsFVpzZCgyiBb1aPv07O/0QmN6S7QAcMMgcnK/ChxJvKv vGC4CLvoehjt+w==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:56096 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nwRFh-0006Pg-Ce; Wed, 01 Jun 2022 12:31:21 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Cc: Tanguy LE CARROUR , guix-devel@gnu.org Subject: Re: Finding a =?utf-8?B?4oCcZ29vZOKAnQ==?= OpenPGP key server References: <164966505518.14431.3309259068866383863@localhost> <87tuaqw36n.fsf@gnu.org> <87czfv2fvw.fsf@gnu.org> <7a2b453ae575934417f209b018ad96227cf68266.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Tridi 13 Prairial an 230 de la =?utf-8?Q?R=C3=A9volu?= =?utf-8?Q?tion=2C?= jour du Pois X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 01 Jun 2022 18:31:19 +0200 In-Reply-To: <7a2b453ae575934417f209b018ad96227cf68266.camel@telenet.be> (Maxime Devos's message of "Tue, 31 May 2022 10:44:08 +0200") Message-ID: <87leuguyzs.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1654101095; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=YCpa0v907QKcOBxwCvX6NDhRJbc7svN4LUHotG+mjtg=; b=lBPW8KMXbwlGqEje8qVDox6nlmhSVneHNl8IRx9Lyw4ZKuh4gRr+g0wANIEBONX7MNDU+f aWkBYcZJwY3p6UQdMPNko6LuRK1EFySEuxHuhn1bOuV2t6vutvu+JHiIN36jfLVYEoVu1h Ag4wGbioof0/uAAl3tA+B6uly2UDff3nwgD2eYWS8lFeoVAueyEKpAzEY1sHIWRFVR+JZv bEHconkct1W0Zn8jueIBN7RpH9BhMYGEmer8D50g+GMzRgY5OQ4Ohd6ZSptomWgMleK0l/ ME8bCv74KEw5RN/d3HWwYIJQ/oSdghLXlTGzJE4N60/SqEgW+Q5GF6A3q0eIIw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1654101095; a=rsa-sha256; cv=none; b=Fmbn11WqIVJa/DYKTBj/pfinsK17A5pOYeqjk2Thqjox+wQzLCg8b2uS5gzvIpRbGlKJE/ G9XgoO5FF6ITW3VG2Vr1BwGgOMCdoBzpAWxDb23RKfBE4Q5VfF7iux8zrFhJpCEbjQn2XF 7bUuTAX+1qOzi6uyJj4R2iU6x0zT0AkYrEdX23Yb2GxlaCbVi08i3tm6AsRVFRTWTkmICO H9OgVEkYAvb8HHjQ1cxUpj7dUpbFZ4M5EbJc6SF/iL2Ir9t0iJWhCK4YPK8X/RZm2mUceq GoQylu4aZgUQjbSVqq6nAfP9ysvWR6J03nAlkfdD1ZObOItlFbtNsoQAj4htUQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=i6F+sT33; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -5.23 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=i6F+sT33; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: A24C13DE74 X-Spam-Score: -5.23 X-Migadu-Scanner: scn1.migadu.com X-TUID: VgFIOGiP/dGE Maxime Devos skribis: > Ludovic Court=C3=A8s schreef op ma 30-05-2022 om 17:34 [+0200]: [...] >> We could also have our own key server.=C2=A0 Just like =E2=80=98guix lin= t -c >> archival=E2=80=99 triggers SWH archival, we could have a tool that trigg= ers >> key download on the server so that crypto material never vanishes. > > Is archival important here though? If the crypto material vanishes, > presumably that means the corresponding author stopped updating the > source code, so it won't be useful anymore (except for after-the-fact > verification?). If you want to be able to authenticate software, even after the fact, then key material needs to be available (that=E2=80=99s why the commit authentication framework lets you store keys in the repo). > What benefit would a Guix key server bring us? It would allow us to archive signing keys of all the software packages ever added to Guix. I can picture a new ambitious project that we could call: OpenPGP Key Heritage. > I guess my suggestion is to skip any intermediate infrastructure and > let the Guix repo itself be the key =E2=80=98server=E2=80=99 (when using = local-file > (*)) or download directly from the site where the key is located. > > (*) if space is concern, there are some GPG options that can be used > for stripping out the photo ids and the various signatures by other > people and keep only the bits actually required by Guix. Let=E2=80=99s assume 10K packages are signed, and that the signing key chan= ges once per year. After 5 years, we=E2=80=99d have accumulated 50K OpenPGP certificates in the repo. Even if they are stripped (no user ID, no photo, etc.), that=E2=80=99s still non-negligible. So yes, I=E2=80=99d rather have it out-of-band. :-) Ludo=E2=80=99.