On 05/12/20 01:24, Michał Górny wrote: > W dniu pon, 11.05.2020 o godzinie 20∶20 -0400, użytkownik Aisha Tammy > napisał: >> Hi devs@, >> Seems like for some reason the gentoo.org does not publish the >> gpg public keys of the senders, even though it is signed correctly. > > Why do you claim that? How did you verify it? Why are you jumping > straight to passive-aggressive accusations without asking nicely first? > That last question could very much be asked of you because of your asking it of them. They needed information, at least some of which you did give, not clutching of pearls and baseless protestations of offense.
>> >> Just wanted to know why the devs are required to use gpg keys, glep63 >> [1] >> but even when the server has the public keys, they aren't published >> properly. >> >> From a proper security perspective, I would have though something >> like WKD[2] would have been implemented on the server side for >> automated >> authentication. > > WKD is implemented and I don't know a single case where it wouldn't > work. If it doesn't work for you, then I dare say it's more likely to > be a problem with your setup. However, if it's a problem on our end, > I'd really appreciate a bug report before calling us retarded. > Given that they did not call anyone any names, retarded or otherwise, one could make the case that you are making a personal attack against them by smearing them and their postings; at best that hurts your argument as a supposedly affronted party. So, please, try to not construct offense out of whole cloth to be performatively perturbed at; it serves no purpose beyond making the lists less useful due to increased noise and making social norms in Gentoo (especially on the lists) that much less congenial. > In fact, the link you've posted actually lists gentoo.org as one > of the few organizations implementing WKD. > >> >> Maybe I am missing something about how to verify the keys of the >> maintainers >> who are sending announcements but it irks me a teensy bit when i have >> signed >> mails and I can't ~~trust~~ verify the signatures. >> >> > > You are missing that WKD does not provide authentication, and if it > were, it would be considered thoroughly insecure. Authentication > in OpenPGP is generally provided via web of trust. For Gentoo > developers, you can also use our Authority Keys [3,4,5]. > >> >> [1] >> https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys >> [2] https://wiki.gnupg.org/WKD > > [3] https://www.gentoo.org/downloads/signatures/ > [4] https://www.gentoo.org/glep/glep-0079.html > [5] https://wiki.gentoo.org/wiki/Project:Infrastructure/Authority_Keys > >
