Re: Finding a “good” OpenPGP key server

[Ludovic Courtès]

Maxime Devos <maximedevos@telenet.be> skribis:

> Ludovic Courtès schreef op ma 30-05-2022 om 17:34 [+0200]:

[...]

>> We could also have our own key server.  Just like ‘guix lint -c
>> archival’ triggers SWH archival, we could have a tool that triggers
>> key download on the server so that crypto material never vanishes.
>
> Is archival important here though?  If the crypto material vanishes,
> presumably that means the corresponding author stopped updating the
> source code, so it won't be useful anymore (except for after-the-fact
> verification?).

If you want to be able to authenticate software, even after the fact,
then key material needs to be available (that’s why the commit
authentication framework lets you store keys in the repo).

> What benefit would a Guix key server bring us?

It would allow us to archive signing keys of all the software packages
ever added to Guix.

I can picture a new ambitious project that we could call:
OpenPGP Key Heritage.

> I guess my suggestion is to skip any intermediate infrastructure and
> let the Guix repo itself be the key ‘server’ (when using local-file
> (*)) or download directly from the site where the key is located.
>
> (*) if space is concern, there are some GPG options that can be used
> for stripping out the photo ids and the various signatures by other
> people and keep only the bits actually required by Guix.

Let’s assume 10K packages are signed, and that the signing key changes
once per year.  After 5 years, we’d have accumulated 50K OpenPGP
certificates in the repo.  Even if they are stripped (no user ID, no
photo, etc.), that’s still non-negligible.

So yes, I’d rather have it out-of-band.  :-)

Ludo’.