[kde-community] KDE Sysadmin and GPG Encryption

Luigi Toscano luigi.toscano at tiscali.it
Tue Jul 26 14:01:15 UTC 2016


On Tuesday, 26 July 2016 19:25:25 CEST Boudhayan Gupta wrote:
> 2) GPG doesn't simply encrypt the email, but also digitally signs it.
> Signatures are required to prove the authenticity of the email, and to
> detect if it was tampered with. However, given our email
> infrastructure, a GPG signature is meaningless. Anyone can create a
> GPG key, encrypt the email and send it out. To trust the public key,
> it would have to be either (a) distributed in a trustable way, which
> brings us to the same sitation as the SSH host key, (b) signed by
> another trusted entity (a person), after a face-to-face meeting, or
> (c) signed by members of a web of trust (which recursively requires
> one of (a) and (b)). Given we live in such physically diverse location
> (in fact, Ben lives in New Zealand; meeting enough KDE contributors
> face to face willing to sign his key is prohibitvely time, effort and
> finance consuming). If you can't establish trust of a GPG public key,
> the signature is meaningless.

I strongly disagree with this. While it is complicated in Ben's case, we had 
GPG signing party at the past Akademy and we can rebuild the web of trust. 
Debian works like this. We can have one at the QtCon (with also people from 
other communities including FSFE). So *signing* the announcement emails should 
not be discouraged like it is in this email.

-- 
Luigi


More information about the kde-community mailing list