[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] adding app-crypt/gentoo-keys to @system
From:       Thomas Deutschmann <whissi () gentoo ! org>
Date:       2019-02-26 15:00:29
Message-ID: 5d136320-937a-7433-a993-8d536ad075de () gentoo ! org
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Hi,

On 2019-02-25 17:09, Matthew Thode wrote:
> How about we allow a setting for controling which keyserver to refresh
> from.  SKS has had problems, fedora has been better (and a coworker says
> MIT is ok too).  Aparently they have a max key size set or something to
> work around keyserver 'brokenness'.
> 
> Something similiar to this would be nice, but for keyservers.
> 
> https://gist.github.com/robbat2/551fc8ea56408ee48e99909f9c26c13e

I am still not sure which problem you are trying to solve:

If you provide a way to disable key updates, you can also disable
verification in general: Our threat model allows for compromised keys
(just because you can't prevent that), so it is _essential_ that you
verify that the key is still valid as part of _each_ validation.

Fedora's keyserver are part of the normal SKS network.

Yes, gnupg doesn't handle keyserver failures very well. I.e. no real
timeout and switch to another server. But we enabled WKD a long time ago
which fixed most problems for me because this will avoid normal
keyservers in general. So I am wondering which problems do you have...


-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]