bug-gnulib@gnu.org mirror (unofficial)
 help / color / mirror / Atom feed
From: Jim Meyering <jim@meyering.net>
To: Simon Josefsson <simon@josefsson.org>
Cc: "bug-gnulib@gnu.org List" <bug-gnulib@gnu.org>
Subject: Re: announce-gen and OpenPGP key servers
Date: Tue, 27 Jul 2021 18:57:15 -0700	[thread overview]
Message-ID: <CA+8g5KEgYSUGBKqPVHZqEw2FfJ9bZ-YFynuqvR5ZyJrAFWebtg@mail.gmail.com> (raw)
In-Reply-To: <87y29sf65o.fsf@latte.josefsson.org>

On Tue, Jul 27, 2021 at 2:38 AM Simon Josefsson via Gnulib discussion
list <bug-gnulib@gnu.org> wrote:
> Hi.  Our announce-gen contains:
>
>   If that command fails because you don't have the required public key,
>   then run this command to import it:
>   gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
>
> Given recent OpenPGP key server issues, that doesn't work reliably any
> more, and behave different for different GnuPG versions.  What should we
> recommend instead?  Werner Koch said:
>
> https://lists.gnupg.org/pipermail/gnupg-devel/2021-July/034937.html
>
> I like WKD, but not all of us has published their OpenPGP key there, and
> some may never be able to (it requires that you can put a file on your
> e-mail domains' https server).  Still, I think it is the best long-term
> solution.
>
> How about the patch below?  It is not meant to be commited, but to start
> discussion.
>
> I think we should do more than the patch.  The OpenPGP web of trust
> seems to be under attack and is not as usable any more.
>
> Our announcements doesn't contain the full OpenPGP key fingerprint,
> which they should.
>
> The release announcement could include hash checksums of the files too.
>
> Some of us publish our OpenPGP keys at a https URL, and including that
> link in the announcement would also help.  That could point to the
> Savannah PGP page, but I think few of us keep that maintained and the
> URL looks horrible.
>
> Maybe we should involve the ftp-upload@gnu.org people.  Having the
> OpenPGP key database they use be published on gnu.org would help.
>
> Let's discuss and see what we can do.
>
> /Simon
>
> diff --git a/build-aux/announce-gen b/build-aux/announce-gen
> index daa478c8e..a696bff89 100755
> --- a/build-aux/announce-gen
> +++ b/build-aux/announce-gen
> @@ -549,7 +549,12 @@ then run this command to import it:
>
>    gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
>
> -and rerun the 'gpg --verify' command.
> +You may also try other key servers such as keyserver.ubuntu.com or
> +pgp.mit.edu.  With newer GnuPG versions you may use the following
> +command to download and refresh any expired key:
> +
> +  gpg --auto-key-locate=clear,wkd,nodefault --locate-key simon@josefsson.org

I've just run that, and it failed like this:

  gpg: error retrieving 'simon@josefsson.org' via WKD: General error

I too agree. We must make changes to improve matters.
I was rather dismayed to see recently how hard it was to find a usable
keyserver.

Feel free to make the script generate a full fingerprint and even
(though it feels a little like giving up) add a checksum or two.


  parent reply	other threads:[~2021-07-28  1:57 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-27  9:38 announce-gen and OpenPGP key servers Simon Josefsson via Gnulib discussion list
2021-07-27 18:48 ` Paul Eggert
2021-07-28  1:57 ` Jim Meyering [this message]
2021-08-03 15:40   ` Simon Josefsson via Gnulib discussion list
2021-08-03 17:52     ` Jim Meyering
2021-08-03 19:20       ` Simon Josefsson via Gnulib discussion list
2021-08-03 19:25         ` Paul Eggert
2021-08-03 23:51           ` Jim Meyering
2021-08-04  9:19             ` Simon Josefsson via Gnulib discussion list
2021-08-01 15:47 ` Bernhard Voelker
2021-08-02 10:09   ` Simon Josefsson via Gnulib discussion list

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.gnu.org/mailman/listinfo/bug-gnulib

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+8g5KEgYSUGBKqPVHZqEw2FfJ9bZ-YFynuqvR5ZyJrAFWebtg@mail.gmail.com \
    --to=jim@meyering.net \
    --cc=bug-gnulib@gnu.org \
    --cc=simon@josefsson.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).