W dniu pon, 11.05.2020 o godzinie 20∶20 -0400, użytkownik Aisha Tammy napisał: > Hi devs@, > Seems like for some reason the gentoo.org does not publish the > gpg public keys of the senders, even though it is signed correctly.
Why do you claim that? How did you verify it? Why are you jumping straight to passive-aggressive accusations without asking nicely first? > > Just wanted to know why the devs are required to use gpg keys, glep63 > [1] > but even when the server has the public keys, they aren't published > properly. > > From a proper security perspective, I would have though something > like WKD[2] would have been implemented on the server side for > automated > authentication. WKD is implemented and I don't know a single case where it wouldn't work. If it doesn't work for you, then I dare say it's more likely to be a problem with your setup. However, if it's a problem on our end, I'd really appreciate a bug report before calling us retarded. In fact, the link you've posted actually lists gentoo.org as one of the few organizations implementing WKD. > > Maybe I am missing something about how to verify the keys of the > maintainers > who are sending announcements but it irks me a teensy bit when i have > signed > mails and I can't ~~trust~~ verify the signatures. > > You are missing that WKD does not provide authentication, and if it were, it would be considered thoroughly insecure. Authentication in OpenPGP is generally provided via web of trust. For Gentoo developers, you can also use our Authority Keys [3,4,5]. > > [1] > https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys > [2] https://wiki.gnupg.org/WKD [3] https://www.gentoo.org/downloads/signatures/ [4] https://www.gentoo.org/glep/glep-0079.html [5] https://wiki.gentoo.org/wiki/Project:Infrastructure/Authority_Keys -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
