KDE GPG Keyserver
Sandro Knauß
sknauss at kde.org
Mon Jul 24 16:11:18 BST 2017
Hey,
> I recommend using the keyserver (pool) that's recommended by the official
> GnuPG FAQ [1] or, even better, sticking to the default, unless you have a
> specific reason for not using those. If you are concerned about your
> privacy then you should rather look into using a keyserver on the Tor
> network.
A specialied keyserver makes sense, if we want to improve the situation with
GPG Keys. We already use the Kes to sign releases, so we may want to check if
these keys are available and why not use our own pool?
* we can improve more rules for keys like >1024 bits no DSA, no unlimited
keys,...)
(Debian also has his own keyring, where they have far more rules than a simple
sks-keyserver)
* This makes sense in terms of get a more unified way to test on our systems
that a key is "known"... We had already this discussion of where to get a key
for a signature on the devel list...
> Is it sync'ed with the keyserver network, e.g. https://www.sks-keyservers.net/?
+1, that is I think best practice. With syncing to sks-keyservers users have
to only upload its key once and all can use sks-keyservers to get the key and
our infrastructure can rely on the own keyserver.
sandro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20170724/07eb1534/attachment.sig>
More information about the kde-community
mailing list