From: Jim Meyering <jim@meyering.net>
To: Simon Josefsson <simon@josefsson.org>
Cc: "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Subject: Re: announce-gen and OpenPGP key servers
Date: Tue, 27 Jul 2021 18:57:15 -0700 [thread overview]
Message-ID: <CA+8g5KEgYSUGBKqPVHZqEw2FfJ9bZ-YFynuqvR5ZyJrAFWebtg@mail.gmail.com> (raw)
In-Reply-To: <87y29sf65o.fsf@latte.josefsson.org>
On Tue, Jul 27, 2021 at 2:38 AM Simon Josefsson via Gnulib discussion
list <bug-gnulib@gnu.org> wrote:
> Hi. Our announce-gen contains:
>
> If that command fails because you don't have the required public key,
> then run this command to import it:
> gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
>
> Given recent OpenPGP key server issues, that doesn't work reliably any
> more, and behave different for different GnuPG versions. What should we
> recommend instead? Werner Koch said:
>
> https://lists.gnupg.org/pipermail/gnupg-devel/2021-July/034937.html
>
> I like WKD, but not all of us has published their OpenPGP key there, and
> some may never be able to (it requires that you can put a file on your
> e-mail domains' https server). Still, I think it is the best long-term
> solution.
>
> How about the patch below? It is not meant to be commited, but to start
> discussion.
>
> I think we should do more than the patch. The OpenPGP web of trust
> seems to be under attack and is not as usable any more.
>
> Our announcements doesn't contain the full OpenPGP key fingerprint,
> which they should.
>
> The release announcement could include hash checksums of the files too.
>
> Some of us publish our OpenPGP keys at a https URL, and including that
> link in the announcement would also help. That could point to the
> Savannah PGP page, but I think few of us keep that maintained and the
> URL looks horrible.
>
> Maybe we should involve the ftp-upload@gnu.org people. Having the
> OpenPGP key database they use be published on gnu.org would help.
>
> Let's discuss and see what we can do.
>
> /Simon
>
> diff --git a/build-aux/announce-gen b/build-aux/announce-gen
> index daa478c8e..a696bff89 100755
> --- a/build-aux/announce-gen
> +++ b/build-aux/announce-gen
> @@ -549,7 +549,12 @@ then run this command to import it:
>
> gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
>
> -and rerun the 'gpg --verify' command.
> +You may also try other key servers such as keyserver.ubuntu.com or
> +pgp.mit.edu. With newer GnuPG versions you may use the following
> +command to download and refresh any expired key:
> +
> + gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon@josefsson.org
I've just run that, and it failed like this:
gpg: error retrieving 'simon@josefsson.org' via WKD: General error
I too agree. We must make changes to improve matters.
I was rather dismayed to see recently how hard it was to find a usable
keyserver.
Feel free to make the script generate a full fingerprint and even
(though it feels a little like giving up) add a checksum or two.
next prev parent reply other threads:[~2021-07-28 1:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-27 9:38 announce-gen and OpenPGP key servers Simon Josefsson via Gnulib discussion list
2021-07-27 18:48 ` Paul Eggert
2021-07-28 1:57 ` Jim Meyering [this message]
2021-08-03 15:40 ` Simon Josefsson via Gnulib discussion list
2021-08-03 17:52 ` Jim Meyering
2021-08-03 19:20 ` Simon Josefsson via Gnulib discussion list
2021-08-03 19:25 ` Paul Eggert
2021-08-03 23:51 ` Jim Meyering
2021-08-04 9:19 ` Simon Josefsson via Gnulib discussion list
2021-08-01 15:47 ` Bernhard Voelker
2021-08-02 10:09 ` Simon Josefsson via Gnulib discussion list
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.gnu.org/mailman/listinfo/bug-gnulib
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+8g5KEgYSUGBKqPVHZqEw2FfJ9bZ-YFynuqvR5ZyJrAFWebtg@mail.gmail.com \
--to=jim@meyering.net \
--cc=bug-gnulib@gnu.org \
--cc=simon@josefsson.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).