The keyring part isn't as easy. The problem is that the keyring isn't
maintained collaboratively. jetring has been developed for exactly
this use case, but I've heard (discussion on #debian-devel) that some
people considered jetring a mess (I don't have details about
specific problems
On Fri, Nov 19, 2010 at 01:09:29PM +0100, Alexander Reichle-Schmehl wrote:
Hi!
For the New Debian Contributors section of the Debian Project News I
usually look at the keyring change mails you send. However in the last
report I noticed the following:
abou.almonta...@sfr.fr
Full
On Sat, Oct 05, 2013 at 10:37:40AM +0200, Stefano Zacchiroli wrote:
What worries me is that by revoking my old key I'll make the situation
for the WoT worse. Given the current state and evolution trends of WoT,
is it actually the case, as Gunnar hints at above, or not?
OTOH by not retiring
On Sat, Oct 05, 2013 at 05:32:18PM +0200, Stefano Zacchiroli wrote:
On Sat, Oct 05, 2013 at 08:17:48AM -0700, Jonathan McDowell wrote:
Now. If you have a 2048 bit or larger key that has been signed by at
least 2 other DDs but still have a 1024D key in our keyring you
should be filing
On Sun, Feb 23, 2014 at 02:10:12PM +0800, Paul Wise wrote:
On Sun, Feb 23, 2014 at 8:35 AM, Gunnar Wolf wrote:
So, what do you suggest?
Set a deadline (say 1 year?) for removal of all 1024 bit keys from the
keyring. Notify all users of 1024 bit keys via all addresses listed in
the MIA db
On Sun, Feb 23, 2014 at 12:49:37PM -0300, Henrique de Moraes Holschuh wrote:
On Sun, 23 Feb 2014, Jonathan McDowell wrote:
* Requests need to include the full fingerprint of both the old and the
new key. Not just the key IDs. Not just the new key. We want to be
absolutely certain
On Mon, Feb 24, 2014 at 05:53:58PM +, Ian Jackson wrote:
Jonathan McDowell writes (Re: State of the debian keyring):
On Sun, Feb 23, 2014 at 02:10:12PM +0800, Paul Wise wrote:
* The new key must be signed by the old key that is being replaced.
* The new key must be signed by 2
On Tue, Feb 25, 2014 at 10:51:56AM -0800, Russ Allbery wrote:
Gunnar Wolf gw...@gwolf.org writes:
Ian Jackson dijo [Mon, Feb 24, 2014 at 05:57:57PM +]:
I think this is a bug.
It can increase security because it can make operations more
convenient at the same level of security,
not be trusting any third party
with the private half of my key on their servers, even if it's
passphrase protected and the crypto carried out at the client side.
J.
--
Revd Jonathan McDowell, ULC | You non-conformists are all alike.
signature.asc
Description: Digital signature
[I trimmed the To down to -project because I think everyone on the CC is
reading that; I certainly am so no need to explicitly CC me.]
On Fri, Apr 04, 2014 at 05:18:13PM -0600, Gunnar Wolf wrote:
Jonathan McDowell dijo [Fri, Apr 04, 2014 at 10:35:41PM +0100]:
To be clear, if I spot any key
On Fri, Apr 04, 2014 at 08:15:10PM -0400, Paul Tagliamonte wrote:
On Sat, Apr 05, 2014 at 12:57:50AM +0100, Jonathan McDowell wrote:
2 separate points to make here (as well as the general point Russ and
Paul have followed up with about what do we trust in general running on
the same machine
On Fri, Aug 15, 2014 at 01:27:28AM +0200, AnĂbal Monsalve Salazar wrote:
As part of the 15th Debian Conference in Portland, Oregon, USA there
will be OpenPGP (pgp/gpg) keysignings. If you intend to participate in
the DebConf14 keysignings, please send your ascii armored public key as
On Sat, Nov 08, 2014 at 08:25:58PM +0100, Marco d'Itri wrote:
On Nov 08, Jonathan McDowell nood...@earth.li wrote:
Back in August I sent notification[0] about the fact that we will be
removing all keys less than 2048 from our keyrings at the end of the
year (31st December 2014). Sadly
On Fri, Jan 23, 2015 at 10:57:55AM +, Anthony Towns wrote:
It takes a couple of minutes to download something using pip or
npm; how long does it take to get a python or nodejs Debianized and
installable? (eg: learning that npm2deb exists, how to use it, what else
you have to do to have a
On Thu, Apr 16, 2015 at 09:26:27AM +0100, Jonathan McDowell wrote:
On Wed, Apr 15, 2015 at 11:12:14PM +0200, Debian Project Secretary -
Kurt Roeckx wrote:
Stats for the DPL votes:
|--+--++---++-++---|
| | Num || Valid
On Wed, Apr 15, 2015 at 11:12:14PM +0200, Debian Project Secretary -
Kurt Roeckx wrote:
Stats for the DPL votes:
|--+--++---++-++---|
| | Num || Valid | Unique | Rejects | % | Multiple |
| Year | DDs | Quorum | Votes |
On Thu, Apr 16, 2015 at 07:12:22PM +0200, Kurt Roeckx wrote:
On Thu, Apr 16, 2015 at 09:26:27AM +0100, Jonathan McDowell wrote:
On Wed, Apr 15, 2015 at 11:12:14PM +0200, Debian Project Secretary -
Kurt Roeckx wrote:
Stats for the DPL votes
On Fri, Apr 17, 2015 at 09:09:01AM +0200, Kurt Roeckx wrote:
On Thu, Apr 16, 2015 at 09:28:34PM -0500, Gunnar Wolf wrote:
Kurt Roeckx dijo [Fri, Apr 17, 2015 at 12:45:37AM +0200]:
On Thu, Apr 16, 2015 at 10:41:52PM +0100, Jonathan McDowell wrote:
Sadly this list is trivially proved
On Thu, Mar 31, 2016 at 01:50:03PM +0200, Paul Slootman wrote:
> My former employer registered the debian.nl domain when the previous
> holder wasn't interested any more, mostly to prevent it falling into the
> wrong hands.
>
> That was some time ago; since some time that former employer is busy
On Thu, Jul 07, 2016 at 03:37:08PM +0200, Nicolas Dandrimont wrote:
> In 2005, the body of Debian Developers passed a General Resolution[1]
> requiring the creation of a declassification team for the
> debian-private mailing list. For the past ten years, the
> implementation of this GR has never
On Fri, Aug 11, 2017 at 10:08:16AM -0700, Sean Whitton wrote:
> Thank you for the explanation.
>
> On Fri, Aug 11 2017, Jonathan McDowell wrote:
>
> > * If you don't want to buy hardware, use an offline master
> > key. Create
> >a certification only maste
On Wed, Aug 02, 2017 at 10:16:29PM +0200, Adam Borowski wrote:
> It would be nice if someone knowledgeable could educate the rest of us
> about physical key dongles -- a number of DDs/DMs/contributors still
> keep their secret keys on a regular disk, and could use a primer. Me
> included. I do
On Fri, Aug 11, 2017 at 04:52:36PM -0300, Henrique de Moraes Holschuh
wrote:
> On Fri, 11 Aug 2017, Jonathan McDowell wrote:
> > I see no reason why the master key should ever be used for
> > signatures in such a scenario, so it seems sensible to indicate that
> > it is pur
On Mon, Oct 16, 2017 at 09:13:19PM +0200, Yves-Alexis Perez wrote:
> On Mon, 2017-10-16 at 21:06 +0200, Christian Seiler wrote:
> > Unfortunately, as far as I understand it, there's no easy method for
> > detecting these kinds of broken keys without actually attempting to
> > factorize them - and
On Tue, Aug 29, 2017 at 07:34:35PM +0200, Marc Haber wrote:
> On Fri, Aug 11, 2017 at 01:41:39PM +0100, Jonathan McDowell wrote:
> > * GnuK: My favourite choice. It's slow with RSA4096, but does
> > support it. The hardware is open. The software is open (you can
&g
On Wed, Aug 30, 2017 at 12:50:53PM +0200, Marc Haber wrote:
> On Wed, Aug 30, 2017 at 12:42:13PM +0200, Adam Borowski wrote:
> > * with Yubikey 4 (suspected): they send the secret handshake, get a
> > copy of the key, and you don't even know anything happened
>
> That's a point, but I cannot
Enrico Zini wrote:
> we have people approaching Debian with a lack of GPG signatures, and we
> generally cannot ask them to travel and meet other developers in person
> to get their key signed.
It's worthwhile stating the actual problem that is trying to be solved
here.
I believe that is:
27 matches
Mail list logo
