[gentoo-dev] From GWN: GnuPG keyservers

[gentoo-dev] From GWN: GnuPG keyservers

[Joseph Carter]

[-- Attachment #1: Type: text/plain, Size: 1137 bytes --]

Please note that wwwkeys.pgp.net has the HKP protocol bug.  That is to say
that the keyserver will irrevocably hose certain GnuPG keys, those having
multiple subkeys.

There is no fix.  There is no way to make a corrupted key work again.
GnuPG versions greater than 1.0.6 will attempt to make the corrupted keys
usable again, but it can only go so far.


The ONLY fix for this problem seems to be use of a non-broken key server
protocol.  GnuPG supports one, LDAP, but this support is currently
optional and not enabled by default, so most people can't use it.  To fix
this, re-merge app-crypt/gnupg with ldap in your USE flags.

Highly recommend that LDAP become non-optional for GnuPG since bascially
ALL HKP servers corrupt valid keys, the email servers don't support
OpenPGP, and the LDAP servers happen to actually work right, amazingly
enough.

The most common LDAP server, at the moment, is ldap://keyserver.pgp.com.

-- 
Joseph Carter <knghtbrd@efn.org>                        Random sig du jour
 
<Mercury> LordHavoc: I'm already insane.
<Coderjoe> damn straight. or curvy, crooked, or what have you


[-- Attachment #2: Type: application/pgp-signature, Size: 253 bytes --]

Re: [gentoo-dev] From GWN: GnuPG keyservers

[J Robert Ray]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joseph Carter wrote:
| Highly recommend that LDAP become non-optional for GnuPG since bascially
| ALL HKP servers corrupt valid keys, the email servers don't support
| OpenPGP, and the LDAP servers happen to actually work right, amazingly
| enough.

This leads me to an idea about USE variables.  It may make sense for
everyone to enable ldap for this one package but it doesn't make sense
for everyone to add ldap to their USE variables.

Also, making ldap support mandatory in a package goes against Gentoo and
USE variable principles.

My idea is to make the absence of a set USE variable not automatically
mean "-var" but instead to make that mean the user is undecided and
willing to accept default values on a package to package basis.

The Gnupg ebuild would specify the default value for ldap as set.  Then,
one of three things will happen:

A) User has "ldap" set in USE, enabling ldap support;

B) User has "-ldap" set in USE, disabling ldap support; or

C) User has no "ldap" set in USE, enabling ldap support via the default
setting in the ebuild.

If an ebuild does not specify a default, then it is taken to be disabled.

- - Robert

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+LvOFbv6Y11NqSv8RAjFqAKCFgiGCpIWXfo4wl81JYPAj+kWc6QCeMlff
Xyg9dHJebi+jPw7T5vZrBD0=
=/SyM
-----END PGP SIGNATURE-----


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] From GWN: GnuPG keyservers

[Paul de Vrieze]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 647 bytes --]

On Wednesday 22 January 2003 20:39, J Robert Ray wrote:
> My idea is to make the absence of a set USE variable not automatically
> mean "-var" but instead to make that mean the user is undecided and
> willing to accept default values on a package to package basis.
>
> The Gnupg ebuild would specify the default value for ldap as set.  Then,
> one of three things will happen:

I can agree with this. Often packages themselves know what is best. A 
transition period/tool would be necessary though as it is rather different 
from the current behaviour.

Paul

-- 
Paul de Vrieze
Researcher
Mail: pauldv@cs.kun.nl
Homepage: http://www.devrieze.net

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] From GWN: GnuPG keyservers

[Matthew Walker]

J Robert Ray said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joseph Carter wrote:
> | Highly recommend that LDAP become non-optional for GnuPG since bascially
> | ALL HKP servers corrupt valid keys, the email servers don't support |
> OpenPGP, and the LDAP servers happen to actually work right, amazingly |
> enough.
>
> This leads me to an idea about USE variables.  It may make sense for
> everyone to enable ldap for this one package but it doesn't make sense for
> everyone to add ldap to their USE variables.
>
> Also, making ldap support mandatory in a package goes against Gentoo and
> USE variable principles.
>
> My idea is to make the absence of a set USE variable not automatically
> mean "-var" but instead to make that mean the user is undecided and
> willing to accept default values on a package to package basis.
>
> The Gnupg ebuild would specify the default value for ldap as set.  Then,
> one of three things will happen:
>
> A) User has "ldap" set in USE, enabling ldap support;
>
> B) User has "-ldap" set in USE, disabling ldap support; or
>
> C) User has no "ldap" set in USE, enabling ldap support via the default
> setting in the ebuild.
>
> If an ebuild does not specify a default, then it is taken to be disabled.

Just throwing in my .02, I like this idea a lot. It seems to make good sense.



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] From GWN: GnuPG keyservers

[Max Kalika]

Quoting J Robert Ray <jrray@gentoo.org>:

> This leads me to an idea about USE variables.  It may make sense for
> everyone to enable ldap for this one package but it doesn't make sense
> for everyone to add ldap to their USE variables.

I know I'm opening myself up for some serious punishment, but this comes
very close to what I was having troubles with as well.  I whipped up a
patch for portage which supports "per-package" USE variables.

   http://bugs.gentoo.org/show_bug.cgi?id=13616

In this case you can configure your USE flags to something like ...

   USE='( app-crypt/gnupg ldap ) -ldap'

.... which would enable ldap support for just GnuPG and disable it for
everything else.

---max kalika
--max@lsit.ucsb.edu
-lsit systems administrator

--
gentoo-dev@gentoo.org mailing list