- Package:
- nm.debian.org
- Source:
- nm.debian.org
- Submitter:
- Mattia Rizzolo
- Date:
- 2023-09-04 06:24:05 UTC
- Severity:
- wishlist
Package: nm.debian.org
Severity: wishlist
We should provide a facility so people can upload their OpenPGP
certificate ("public key"), together with all the 3rd party
certifications, directly into nm.debian.org, bypassing the SKS network
and avoiding the need for any other problematic OpenPGP certificate
distribution mechanism.
With the SKS network slowly dying, gpg not receiving third-party
certifications anymore by default and other changes to the ecosystem,
retrieving OpenPGP certificates and third-party certifications may be
harder in the future.
It is simpler to let applicants provide a certificate themselves
directly.
I endorse this suggestion :) I note that we shouldn't *require* users to upload their certificate necessarily. The change asked for here is just to make it possible for them to do the upload if they choose to.
I like the sentiment, and I am slightly afraid of turning nm.debian.org into the debian keyserver replacement. I mean, we could, but I'd like to figure out where we want to have the authoritative source of key material for Debian. Here are various options that I can think of: - nm.debian.org, needs the data - contributors.debian.org has a much more comprehensive user database - keyring.debian.org primarily manages key material - sso.debian.org is the authoritative user database - the oncoming replacement of sso.debian.org will be the actual authoritative user database I'd feel better having this information together with the authoritative user database, which at this point in time would mean waiting for the new SSO to be up, and then hooking into that somehow. Alternatively, having this information managed by the authoritative team, which could mean keyring-maint providing a key upload service tied to the new SSO. In this case, I don't mind helping to write the key upload service for keyring-maint, if you want. Enrico
[wearing no hat other than operator of the keyserver in question] Y'all are welcome to (and tell prospective contributors to) send keys to the.earth.li, which is not SKS and still accepts third party certifications. It does some limited signature verification which I'm generally working to improve when time allows, but I think it's a half-way house between what we current have (trust a failing keyserver network to have the data) and what's being proposed (implement a very specific service to suit our needs for retrieving 3rd party certs). J.
It looks to me like the only thing nm needs the keyserver for is a placeholder for keys until they land in the debian keyring (or the debian-maintainer keyring), at which point we can rely on keyring.debian.org. right? if the applicant is expected to submit this key somehow, it seems simpler to me to have them just submit it to nm directly with the rest of the application (e.g. "here are 9 questions, one of them needs you to paste your OpenPGP certificate") than to say "here are 8 questions; for the 9th question, send your OpenPGP certificate to service X, and then paste the fingerprint of the certificate here, and we'll reassemble it from service X later".
Mostly my concern is about avoiding the effort of having to code the bits of nm.d.o to accept keys from the applicant and forward them to keyring-maint, and the piece on the keyring-maint side of automatically putting the key into the repo (i.e as part of process-rt). If someone else is saying they'll do all that work then I have no objections! J.
I have a crazy idea I haven't seen here yet. Folks are already using Salsa to authenticate themselves and log in to nm.debian.org, so why not just allow importing key(s) from Salsa? You can find my current key and a long obsolete key at https://salsa.debian.org/jscott.gpg and this URL convention works for getting the key for anybody.
That is also fine, possibly in addition to all of the above suggestions. Note that I do not think it is common at all for people to upload their public key to salsa, although I don't have data. As usual patches welcome, both to nm and to keyring-team's scripts. :)