From: Daniel Shahaf <d.s@daniel.shahaf.name>
To: dana <dana@dana.is>
Cc: vapnik spaknik <vapniks@yahoo.com>,
Zsh hackers list <zsh-workers@zsh.org>
Subject: Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it?
Date: Sun, 12 Jul 2020 10:09:03 +0000 [thread overview]
Message-ID: <20200712100903.3257d4f6@tarpaulin.shahaf.local2> (raw)
In-Reply-To: <B4A2CE00-A511-423B-8A79-37CC0C7F1CC6@dana.is>
dana wrote on Fri, 10 Jul 2020 23:25 -0500:
> On 10 Jul 2020, at 18:49, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> > Agreed it'd be a good thing.
>
> Yeah. I meant to get it sorted before, there just wasn't a convenient
> opportunity. I'm not very familiar with GPG trust etiquette, but if there's a
> good way we can establish trust remotely the next time we're collaborating or
> w/e that'd be OK with me
The general rule is that you should only sign somebody's public key if
you are *certain* that whoever controls the private key is indeed the
person whose name is on the key.
Some people say you should perform the verification in person against
a passport (or other government-issued photo id).
Other people argue that passports don't actually add much security,
since the average open source contributor is not able to identify
fake passports at a glance, and in any case verifying a passport
doesn't defend against state adversaries.
Before social distancing, verifying people's PGP keys at conferences
provided a social defence: to paraphrase Linus, many eyeballs make all
impersonators shallow.
In the end, the question is what would convince you that someone
who claims to be danielsh is in fact danielsh; and which people who are
already connected to the Web of Trust would be able to be convinced
that you are in fact the owner of the public key that bears your name.
Cheers,
Daniel
(https://m.xkcd.com/1121/)
prev parent reply other threads:[~2020-07-12 10:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1130466066.9798.1594417647695.ref@mail.yahoo.com>
2020-07-10 21:47 ` vapnik spaknik
2020-07-10 23:49 ` Daniel Shahaf
2020-07-11 4:25 ` dana
2020-07-12 10:09 ` Daniel Shahaf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200712100903.3257d4f6@tarpaulin.shahaf.local2 \
--to=d.s@daniel.shahaf.name \
--cc=dana@dana.is \
--cc=vapniks@yahoo.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).