RE: Group keyrings
Hello, Can someone remove me from this distribution list. Thank you. -Original Message- From: Savannah-users On Behalf Of Ineiev Sent: March 1, 2021 2:23 PM To: savannah-users@gnu.org Subject: Re: Group keyrings WARNING: External Email - This email originated outside of Jefferson. DO NOT CLICK links or attachments unless you recognize the sender and are expecting the email. The information contained in this transmission contains privileged and confidential information. It is intended only for the use of the person named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. CAUTION: Intended recipients should NOT use email communication for emergent or urgent health care matters.
Re: Group keyrings
Hello; On Tue, Feb 09, 2021 at 04:03:25PM +, Ineiev wrote: ... > Probably, it would be better if each group had a public area > where its admins (rather than every member) could post only keys > used for releases, like GnuPG does [1]. I've pushed a patch for it > to the group-keyring branch [2]. I've just installed the changes on Savannah, including updated documentation, https://savannah.gnu.org/maintenance/UsingGpg/ https://savannah.gnu.org/maintenance/DownloadArea/ Please check if anything needs fixing; after that, we probably should make an announcement in the Savannah News area. Thank you! signature.asc Description: PGP signature
Group keyrings
Hello, [re-posted from savannah-hackers-public] Currently, Savannah serves all GPG keys registered in accounts of group's members as the keyring of the respective group, like [0]. This keyring doesn't work very well as a source of signing keys of group's releases, because the group may have many more members than persons who actually sign releases: any member can carelessly register new keys without thinking about the impact on the security of released files, and team's admins have to but monitor the aggregated keyring---I don't believe anyone actually does (also, people may have one key for getting encrypted personal emails and another key for signing tarballs). In particular, the set of keys registered by members of 'emacs' has quite a few very old keys, and one of them is dsa768; as far as I understand, such keys aren't considered adequate these days. if the bad ones crack such a key and replace files on a mirror (I think it would be easier to setup a mirror and register it on Savannah than to crack the key), they'll be able to get round the signature verification for those who are unfortunate enough to pick that mirror. Probably, it would be better if each group had a public area where its admins (rather than every member) could post only keys used for releases, like GnuPG does [1]. I've pushed a patch for it to the group-keyring branch [2]. What do people think? [0] https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=emacs [1] https://www.gnupg.org/signature_key.html [2] https://git.savannah.gnu.org/cgit/administration/savane.git/log/?h=group-keyring signature.asc Description: PGP signature