#948842 nm.debian.org: please let people upload their OpenPGP certificate directly

#948842#3
Date:
2020-01-13 21:56:01 UTC
From:
To:
Package: nm.debian.org
Severity: wishlist

We should provide a facility so people can upload their OpenPGP
certificate ("public key"), together with all the 3rd party
certifications, directly into nm.debian.org, bypassing the SKS network
and avoiding the need for any other problematic OpenPGP certificate
distribution mechanism.

With the SKS network slowly dying, gpg not receiving third-party
certifications anymore by default and other changes to the ecosystem,
retrieving OpenPGP certificates and third-party certifications may be
harder in the future.

It is simpler to let applicants provide a certificate themselves
directly.

#948842#8
Date:
2020-01-13 22:03:50 UTC
From:
To:
I endorse this suggestion :)

I note that we shouldn't *require* users to upload their certificate
necessarily.  The change asked for here is just to make it possible for
them to do the upload if they choose to.

#948842#13
Date:
2020-01-15 18:12:36 UTC
From:
To:
I like the sentiment, and I am slightly afraid of turning nm.debian.org
into the debian keyserver replacement.

I mean, we could, but I'd like to figure out where we want to have the
authoritative source of key material for Debian.

Here are various options that I can think of:

 - nm.debian.org, needs the data
 - contributors.debian.org has a much more comprehensive user database
 - keyring.debian.org primarily manages key material
 - sso.debian.org is the authoritative user database
 - the oncoming replacement of sso.debian.org will be the actual
   authoritative user database

I'd feel better having this information together with the authoritative
user database, which at this point in time would mean waiting for the
new SSO to be up, and then hooking into that somehow.

Alternatively, having this information managed by the authoritative
team, which could mean keyring-maint providing a key upload service tied
to the new SSO. In this case, I don't mind helping to write the key
upload service for keyring-maint, if you want.


Enrico

#948842#18
Date:
2020-01-15 21:40:38 UTC
From:
To:
[wearing no hat other than operator of the keyserver in question]

Y'all are welcome to (and tell prospective contributors to) send keys to
the.earth.li, which is not SKS and still accepts third party
certifications. It does some limited signature verification which I'm
generally working to improve when time allows, but I think it's a
half-way house between what we current have (trust a failing keyserver
network to have the data) and what's being proposed (implement a very
specific service to suit our needs for retrieving 3rd party certs).

J.

#948842#23
Date:
2020-01-16 20:18:54 UTC
From:
To:
It looks to me like the only thing nm needs the keyserver for is a
placeholder for keys until they land in the debian keyring (or the
debian-maintainer keyring), at which point we can rely on
keyring.debian.org.

right?

if the applicant is expected to submit this key somehow, it seems
simpler to me to have them just submit it to nm directly with the rest
of the application (e.g. "here are 9 questions, one of them needs you to
paste your OpenPGP certificate")  than to say "here are 8 questions; for
the 9th question, send your OpenPGP certificate to service X, and then
paste the fingerprint of the certificate here, and we'll reassemble it
from service X later".

#948842#28
Date:
2020-01-17 11:50:29 UTC
From:
To:
Mostly my concern is about avoiding the effort of having to code the
bits of nm.d.o to accept keys from the applicant and forward them to
keyring-maint, and the piece on the keyring-maint side of automatically
putting the key into the repo (i.e as part of process-rt). If someone
else is saying they'll do all that work then I have no objections!

J.

#948842#33
Date:
2023-08-14 07:28:11 UTC
From:
To:
I have a crazy idea I haven't seen here yet. Folks are already using Salsa to authenticate themselves and log in to nm.debian.org, so why not just allow importing key(s) from Salsa? You can find my current key and a long obsolete key at https://salsa.debian.org/jscott.gpg and this URL convention works for getting the key for anybody.
#948842#36
Date:
2023-09-04 06:13:03 UTC
From:
To:
That is also fine, possibly in addition to all of the above suggestions.

Note that I do not think it is common at all for people to upload their
public key to salsa, although I don't have data.


As usual patches welcome, both to nm and to keyring-team's scripts.
:)