Hi Ludo’,
Quoting Ludovic Courtès (2022-05-30 17:34:43) > Maxime Devos <maximede...@telenet.be> skribis: > > > Ludovic Courtès schreef op ma 18-04-2022 om 22:24 [+0200]: > >> [... guix refresh -u stuff failing due to not finding the key ...] > >> I’m not sure what a good solution is (other than looking for the key > >> manually on Savannah or on some random key server). > > > > Alternatively, why use key servers at all? WDYT of something like > > > > (package > > (name "gnurl") > > [...] > > (properties > > ;; Keys that are considered ‘trustworthy’ for signing releases > > ;; of gnurl. > > `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...") > > ;; Locations of PGP key (possibly with some of them pointing to > > ;; the same key) > > (pgp-key-locations > > ,(savannah-pgp-key USER-ID) ... ; most signers are on > > savannah.gnu.org > > ,(local-file "[...]/someone.pub") ; not easily available from the > > Web > > "https://rando/key.pub"; > > "ipfs://.../..." "gnunet://...")))) ; download key via P2P networks > > > > The first part (permitted-pgp-signing-keys) has been suggested previously > > and > > seems mostly orthogonal, but the second part is new. It would reduce > > the dependency on central infrastructure. We could consider key servers > > to be ‘merely’ another fallback. > > We could also have our own key server. Just like ‘guix lint -c > archival’ triggers SWH archival, we could have a tool that triggers key > download on the server so that crypto material never vanishes. That would be a solution, I guess. But what would be the cost of setting it up and maintaining it? Is gnurl the only package with this problem or is it something that happens often?! Regards, -- Tanguy
