Frank R Dana Jr. wrote: > unless we > want to tell packagers to use Seahorse to retrieve > upstream keys (and I'm assuming we don't), We want to tell them to get keys directly from upstream whenever possible, but if they must resort to searching keyservers, then they can use Seahorse, Kleopatra, the gpg2 command, the keyservers' web interfaces or whatever method they prefer. > I don't know what to tell them they /should/ be doing. Look it up in the author's Web Key Directory if they have one, or meet the author in person and get their key directly from their hand, or ask them to send it by email, or snailmail, or the latest trendy proprietary messaging service, or optical telegraph. There are any number of ways to transfer a file. Most of them are insecure. The packager and the upstream author should use the most secure communication channel they have established. That usually means a file on the project's HTTPS-enabled website (because I think few email providers provide Web Key Directory service, and few DNS providers allow inserting OPENPGPKEY records). Keyservers are pretty much the most dangerous method I can think of, as anyone can upload a key to a keyserver in someone else's name. If a packager must use a keyserver because the author won't distribute their key any other way, then the packager should try to verify the fingerprint through some other more secure channel. It can be done by telephone if the packager happens to know the author's phone number and recognize their voice. But with most other ways a fingerprint can be communicated, one can just as easily send the whole key, and then the keyserver wasn't needed after all. Björn Persson
Attachment:
pgppSkMK1Y6Nq.pgp
Description: OpenPGP digital signatur
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
