On 161228-15:42+0100, NdK wrote: > Il 28/12/2016 13:28, Miroslav Rovis ha scritto: > > >> The fact that Github, since this outgoing year, accept gpg signing only > >> if you post your public key to their servers. > I can't say for sure, but maybe that's so so they can have an > "attestation key" to use for verifying signatures, without expensive WoT > checks. Why would that be expensive? Expensive is the tracking that they let the Schmoog (y'know Schmoog the Schmoogle) do on their users... Have a look at (sorry for the title, just moved to Pale Moon): In Defence of Firefox: some Harvesting by Referal Decrypted https://forums.gentoo.org/viewtopic-t-1038896.html (where not all I could post, as my password I would revealed) Expensive (time, resources on them and on users) is the tracking... > > BTW nothing prevents you from uploading your key to the keyservers and > participate in the WoT -- that's the only thing that could assure who > clones your repo that *you* signed those commits. My keys have been since long on keyservers, but too little, and insignificant programming, I do, to have it had signed by others, yet. > > > Just some quick links in connection, for the less familiar. > > For users (like me): > > https://help.github.com/categories/gpg/ > Some reccomendations could be quite questionable (always use RSA 4096, > do not set an expiry on main key, no mention of generating a revocation > certificate...). Of course, have been using RSA since a few years back, and other things, only late to update to gnupg-2, haven't had time... Missing the funcionalities, now that I really understand ever better about it, and understood that I can trust Werner Koch, Neit Walfield ( why aren't they teaching people this: An Advanced Intro to GnuPG https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html
Exampli gratia, I can't read it all now (need to give it a re-read, but is there a suggestion in my home distro, so to call it, since 8 yrs + with it, that you get poor security if you just keep yout secret key in ~/.gnupg/ ? Is there, if any Gentooer is reading this? ... ) , and the team and what they do. And also Alexandre Olive replied (pasting his mail in here manually): > Until this year there was no way to verify the signature of commits > and releases through the GitHub website, so they created a "kind of" > keyserver in their own server to manage users public keys. No, there was no way to do so in GUI, but that's not such great advantage to have it, and you have to paste your public key, as if they couldn't get it from good keyservers, that certainly don't track people so much, such as: https://sks-keyservers.net/i/ and https://pgp.mit.edu/ Before, when your git repo, or somebody else's had a tag signed, you get the public key anywhere, and you clone the repo, and you can verify it, you didn't need a GUI... Have to go back to other work, regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
