Gentoo Archives: gentoo-dev

From: Aisha Tammy <gentoo.dev@×××××.cc>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] unverifiable GPG keys for @gentoo.org members
Date: Tue, 12 May 2020 00:20:23
Message-Id: af1fac7c-4345-cdd2-766b-777ed3a10a5f@aisha.cc
1 Hi devs@,
2 Seems like for some reason the gentoo.org does not publish the
3 gpg public keys of the senders, even though it is signed correctly.
4
5 Just wanted to know why the devs are required to use gpg keys, glep63 [1]
6 but even when the server has the public keys, they aren't published properly.
7
8 From a proper security perspective, I would have though something
9 like WKD[2] would have been implemented on the server side for automated
10 authentication.
11
12 Maybe I am missing something about how to verify the keys of the maintainers
13 who are sending announcements but it irks me a teensy bit when i have signed
14 mails and I can't ~~trust~~ verify the signatures.
15
16 This is tots an aside from normal gentoo stuff.
17
18 Hope ya'll are safe,
19 Aisha
20
21
22
23 [1] https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys
24 [2] https://wiki.gnupg.org/WKD

Replies

Subject Author
Re: [gentoo-dev] unverifiable GPG keys for @gentoo.org members Aisha Tammy <gentoo.dev@×××××.cc>
Re: [gentoo-dev] unverifiable GPG keys for @gentoo.org members "Michał Górny" <mgorny@g.o>