From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christopher Lemmer Webber <cwebber@dustycloud.org>
Subject: Re: Suggest another way of importing GNU Guix GPG key
Date: Sat, 29 Jun 2019 17:57:27 -0400
Message-ID: <87d0iwkqbc.fsf@dustycloud.org>
References: <2d61cb3fffbc88860c192735f4bd31a0@free.fr>
 <86mui02hpq.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:50469)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <cwebber@dustycloud.org>) id 1hhLLh-0007PA-To
 for guix-devel@gnu.org; Sat, 29 Jun 2019 17:57:35 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cwebber@dustycloud.org>) id 1hhLLg-0003bf-14
 for guix-devel@gnu.org; Sat, 29 Jun 2019 17:57:33 -0400
Received: from dustycloud.org ([50.116.34.160]:35072)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <cwebber@dustycloud.org>)
 id 1hhLLe-0003b7-4d
 for guix-devel@gnu.org; Sat, 29 Jun 2019 17:57:31 -0400
Received: from jasmine (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 68D7926655
 for <guix-devel@gnu.org>; Sat, 29 Jun 2019 17:57:27 -0400 (EDT)
In-reply-to: <86mui02hpq.fsf@gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

That's probably the right way to do it for now.

Alex Vong writes:

> Hello,
>
> One solution would be to download the keyring from
> <https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
> the following way:
>
>   $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig guix-1.0.1.tar.gz
>
> Cheers,
> Alex
>
> dftxbs3e@free.fr writes:
>
>> Hello,
>>
>> SKS keyservers are currently under attack
>> (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - 
>> the attack can cause a GPG client to freeze completely and mess the
>> GPG installation completely.
>>
>> I suggest GNU Guix proposes another way of importing the GPG keys so
>> that users will not suffer from this problem.
>>
>> There's another, newer, keyserver, proposed in this gist, that is run
>> by new software that doesnt suffer from this attack. See:
>> https://keys.openpgp.org/about/news#2019-06-12-launch
>>
>> However, that keyserver is not replicated. You could either use that
>> one or simply offer a download of the key over TLS with verification
>> against installed CAs, as secure as this can get.
>>
>> Regards