On 5/12/20 1:24 AM, Michał Górny wrote: > W dniu pon, 11.05.2020 o godzinie 20∶20 -0400, użytkownik Aisha Tammy > napisał: >> Hi devs@, >> Seems like for some reason the gentoo.org does not publish the >> gpg public keys of the senders, even though it is signed correctly. >
Oh, very sorry if I came out that way. I wasn't being passive aggressive. Sometimes I write things the wrong way. I should have definitely written it better :( >> >> Just wanted to know why the devs are required to use gpg keys, glep63 >> [1] >> but even when the server has the public keys, they aren't published >> properly. >> >> From a proper security perspective, I would have though something >> like WKD[2] would have been implemented on the server side for >> automated >> authentication. > > WKD is implemented and I don't know a single case where it wouldn't > work. If it doesn't work for you, then I dare say it's more likely to > be a problem with your setup. However, if it's a problem on our end, > I'd really appreciate a bug report before calling us retarded. > > In fact, the link you've posted actually lists gentoo.org as one > of the few organizations implementing WKD. > Oh my, now I really feel bad. I definitely don't want to call anyone retarded or any such words. I never like to use very strong words such as those. While I agree I should've worded it better, please don't make it look like I am name calling and insulting everybody, and being a jerk in general. So I would really love it if you don't put those words in my mouth for me. I actually thought that this was the proper channel to ask for these things. Maybe the dev mailing list was not the proper place, I didn't think about it being perceived as accusatory. I mostly thought it would be related to a bug or an oversight. It is 110% possible for my setup to have mistakes. I even said as much. I would love to fix that. Indeed, because the link actually mentioned that gentoo.org has setup WKD that is why I was a bit surprised when some of the keys were not found. >> Why do you claim that? How did you verify it? I am using enigmail + thunderbird which I thought would have should be making proper requests for the WKD keys and it reported that for some of the emails sent from devs they keys were not found on the keyserver. I will be doing a lot more debugging today and will try to see where things went wrong on my end. Now that you say it has been implemented properly, I feel that I should do a lot more work on my side :) >> >> Maybe I am missing something about how to verify the keys of the >> maintainers >> who are sending announcements but it irks me a teensy bit when i have >> signed >> mails and I can't ~~trust~~ verify the signatures. >> >> > > You are missing that WKD does not provide authentication, and if it > were, it would be considered thoroughly insecure. Authentication > in OpenPGP is generally provided via web of trust. For Gentoo > developers, you can also use our Authority Keys [3,4,5]. > This is actually an interesting point. It might be better to discuss that over irc. The web of trust is actually a topic which I have some weird thoughts over. Best, Aisha >> >> [1] >> https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys >> [2] https://wiki.gnupg.org/WKD > > [3] https://www.gentoo.org/downloads/signatures/ > [4] https://www.gentoo.org/glep/glep-0079.html > [5] https://wiki.gentoo.org/wiki/Project:Infrastructure/Authority_Keys > >
