[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suggest another way of importing GNU Guix GPG key
From: |
Christopher Lemmer Webber |
Subject: |
Re: Suggest another way of importing GNU Guix GPG key |
Date: |
Sat, 29 Jun 2019 17:57:27 -0400 |
User-agent: |
mu4e 1.2.0; emacs 26.2 |
That's probably the right way to do it for now.
Alex Vong writes:
> Hello,
>
> One solution would be to download the keyring from
> <https://ftp.gnu.org/gnu/gnu-keyring.gpg> and verify the signature in
> the following way:
>
> $ gpg --keyring ./gnu-keyring.gpg --verify guix-1.0.1.tar.gz.sig
> guix-1.0.1.tar.gz
>
> Cheers,
> Alex
>
> address@hidden writes:
>
>> Hello,
>>
>> SKS keyservers are currently under attack
>> (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) -
>> the attack can cause a GPG client to freeze completely and mess the
>> GPG installation completely.
>>
>> I suggest GNU Guix proposes another way of importing the GPG keys so
>> that users will not suffer from this problem.
>>
>> There's another, newer, keyserver, proposed in this gist, that is run
>> by new software that doesnt suffer from this attack. See:
>> https://keys.openpgp.org/about/news#2019-06-12-launch
>>
>> However, that keyserver is not replicated. You could either use that
>> one or simply offer a download of the key over TLS with verification
>> against installed CAs, as secure as this can get.
>>
>> Regards