From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id EE4241F8C6 for ; Tue, 27 Jul 2021 09:38:46 +0000 (UTC) Received: from localhost ([::1]:37766 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m8JXx-0006hd-JA for normalperson@yhbt.net; Tue, 27 Jul 2021 05:38:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38372) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m8JXn-0006hP-P9 for bug-gnulib@gnu.org; Tue, 27 Jul 2021 05:38:36 -0400 Received: from uggla.sjd.se ([2001:9b1:8633::107]:56966) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m8JXk-0007qQ-0P for bug-gnulib@gnu.org; Tue, 27 Jul 2021 05:38:35 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2101; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LM8DLPt/doD7shwQ4hQjC7OBDvknAbeL4f7cit64Uho=; t=1627378710; x=1628588310; b=i53ej1BvQ3EGcqydcttmROJS0XxcYjuu6ujMhHVceHGRvg82SlS92WSORH+VPDbshqqMH2iB/2 wrJqB4I60nAg==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2101; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=LM8DLPt/doD7shwQ4hQjC7OBDvknAbeL4f7cit64Uho=; t=1627378710; x=1628588310; b=ZCB/U93vWgai2sxDJ0gMeVyYOy9HAfu6mgofnDZM4bJsoTZTwfKNL4NRRj+53/QMO2vYydwjw6 7q7HO0v9yVPJ+2VC+xt+V9A+k5WjIB/8tWJ9ZvDadcZ25JISex+Ekfv0gMZszMQO9jb55+f1XHdKw rUtueiJVsZv2fbRwR5jISsQacTIAa4w27yC9SowEzV6vWb1bJGCmrzctamBI9TplzOtsOdGwEu/it gkrmq+I+i5Y4fW44OcKZfLiX5vGIv2VJl2XzHj7E6K/+BXzaDKxMMoSd/h46JmVujlb5Yn7CY63OS /7Qg6SHx0L/1270Ao+1xI+HydxHqiXf3D8Fqee/B0KRkTxJCax8A839abf3m5cSz0nximgF6xK9gZ 4/DKjBrDRwh9QbBTBRe3NPPLsCUiidB5dlmrf6oETUvJXqEfU+6b2cL7szmS81BA8g1W4gfefd ; Received: from [2001:9b1:41ac:ff00:50fc:c7e5:7e78:6f99] (port=32922 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m8JXg-0006PK-Ga for bug-gnulib@gnu.org; Tue, 27 Jul 2021 09:38:28 +0000 X-Hashcash: 1:22:210727:bug-gnulib@gnu.org::isnIUEbSYiz1X0y7:6jd0 To: bug-gnulib@gnu.org Subject: announce-gen and OpenPGP key servers OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt Date: Tue, 27 Jul 2021 11:38:27 +0200 Message-ID: <87y29sf65o.fsf@latte.josefsson.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2001:9b1:8633::107; envelope-from=simon@josefsson.org; helo=uggla.sjd.se X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" Reply-to: Simon Josefsson From: Simon Josefsson via Gnulib discussion list --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi. Our announce-gen contains: If that command fails because you don't have the required public key, then run this command to import it: gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id Given recent OpenPGP key server issues, that doesn't work reliably any more, and behave different for different GnuPG versions. What should we recommend instead? Werner Koch said: https://lists.gnupg.org/pipermail/gnupg-devel/2021-July/034937.html I like WKD, but not all of us has published their OpenPGP key there, and some may never be able to (it requires that you can put a file on your e-mail domains' https server). Still, I think it is the best long-term solution. How about the patch below? It is not meant to be commited, but to start discussion. I think we should do more than the patch. The OpenPGP web of trust seems to be under attack and is not as usable any more. Our announcements doesn't contain the full OpenPGP key fingerprint, which they should. The release announcement could include hash checksums of the files too. Some of us publish our OpenPGP keys at a https URL, and including that link in the announcement would also help. That could point to the Savannah PGP page, but I think few of us keep that maintained and the URL looks horrible. Maybe we should involve the ftp-upload@gnu.org people. Having the OpenPGP key database they use be published on gnu.org would help. Let's discuss and see what we can do. /Simon diff --git a/build-aux/announce-gen b/build-aux/announce-gen index daa478c8e..a696bff89 100755 =2D-- a/build-aux/announce-gen +++ b/build-aux/announce-gen @@ -549,7 +549,12 @@ then run this command to import it: =20 gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id =20 =2Dand rerun the 'gpg --verify' command. +You may also try other key servers such as keyserver.ubuntu.com or +pgp.mit.edu. With newer GnuPG versions you may use the following +command to download and refresh any expired key: + + gpg --auto-key-locate=3Dclear,wkd,nodefault --locate-key simon@josefsson= .org + EOF =20 my @tool_versions =3D get_tool_versions (\@tool_list, $gnulib_version); --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCYP/UFBQcc2ltb25Aam9z ZWZzc29uLm9yZwAKCRBRcisI/kdFoh8VAQDk3gK757EUCLEXsU+/fPgDFApbQctz GpsdrHCirqGPcQD/aILLY2tRq+8qZ+DSg3UyWzO+hfQvyINvMciybeNz/wA= =cLnc -----END PGP SIGNATURE----- --=-=-=--