KDE GPG Keyserver

[Harald Sitter]

On Mon, Jul 24, 2017 at 5:11 PM, Sandro Knauß <sknauss at kde.org> wrote:
> Hey,
>
>> I recommend using the keyserver (pool) that's recommended by the official
>> GnuPG FAQ [1] or, even better, sticking to the default, unless you have a
>> specific reason for not using those. If you are concerned about your
>> privacy then you should rather look into using a keyserver on the Tor
>> network.
>
>  A specialied keyserver makes sense, if we want to improve the situation with
> GPG Keys. We already use the Kes to sign releases, so we may want to check if
> these keys are available and why not use our own pool?
> * we can improve more rules for keys like >1024 bits no DSA, no unlimited
> keys,...)
> (Debian also has his own keyring, where they have far more rules than a simple
> sks-keyserver)
> * This makes sense in terms of get a more unified way to test on our systems
> that a key is "known"... We had already this discussion of where to get a key
> for a signature on the devel list...

FWIW, the reason for not having a server is what Christoph said about
maintaining stuff we don't technically need. Hosting our own server
adds no tangible value over deferring to the pool. Which goes doubly
so because the way debian's keyring is used is as a moderated frontend
server (IIRC), rather than a public access pool server everyone can
push keys into... apples and oranges.
Whether or not we should have a thing like debian is a discussion we
could have I suppose, though personally, I don't see the paperwork and
knowledge overhead such a setup would entail going well with our
community.

HS