From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 10088 invoked from network); 12 Jul 2020 10:10:04 -0000 Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2) by inbox.vuxu.org with ESMTPUTF8; 12 Jul 2020 10:10:04 -0000 Received: (qmail 6276 invoked by alias); 12 Jul 2020 10:09:53 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: Sender: zsh-workers@zsh.org X-Seq: 46235 Received: (qmail 27276 invoked by uid 1010); 12 Jul 2020 10:09:53 -0000 X-Qmail-Scanner-Diagnostics: from wout4-smtp.messagingengine.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.3/25863. spamassassin: 3.4.4. Clear:RC:0(64.147.123.20):SA:0(-2.6/5.0):. Processed in 4.717232 secs); 12 Jul 2020 10:09:53 -0000 X-Envelope-From: d.s@daniel.shahaf.name X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts) X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrvdeigddvjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvuffkjghfofggtgfgsehtjedttdertddvnecuhfhrohhmpeffrghnihgv lhcuufhhrghhrghfuceougdrshesuggrnhhivghlrdhshhgrhhgrfhdrnhgrmhgvqeenuc ggtffrrghtthgvrhhnpedtleeiieffgefgkeelheeifedvgfelvdelvedvhfduleetkeeg heehkeeuleegveenucffohhmrghinhepgihktggurdgtohhmnecukfhppeejledrudejie drfeelrdeileenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhr ohhmpegurdhssegurghnihgvlhdrshhhrghhrghfrdhnrghmvg X-ME-Proxy: Date: Sun, 12 Jul 2020 10:09:03 +0000 From: Daniel Shahaf To: dana Cc: vapnik spaknik , Zsh hackers list Subject: Re: gpg key used to sign zsh tarball has no trusted signatures so how can I trust it? Message-ID: <20200712100903.3257d4f6@tarpaulin.shahaf.local2> In-Reply-To: References: <1130466066.9798.1594417647695.ref@mail.yahoo.com> <1130466066.9798.1594417647695@mail.yahoo.com> <20200710234922.50f0fa4a@tarpaulin.shahaf.local2> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit dana wrote on Fri, 10 Jul 2020 23:25 -0500: > On 10 Jul 2020, at 18:49, Daniel Shahaf wrote: > > Agreed it'd be a good thing. > > Yeah. I meant to get it sorted before, there just wasn't a convenient > opportunity. I'm not very familiar with GPG trust etiquette, but if there's a > good way we can establish trust remotely the next time we're collaborating or > w/e that'd be OK with me The general rule is that you should only sign somebody's public key if you are *certain* that whoever controls the private key is indeed the person whose name is on the key. Some people say you should perform the verification in person against a passport (or other government-issued photo id). Other people argue that passports don't actually add much security, since the average open source contributor is not able to identify fake passports at a glance, and in any case verifying a passport doesn't defend against state adversaries. Before social distancing, verifying people's PGP keys at conferences provided a social defence: to paraphrase Linus, many eyeballs make all impersonators shallow. In the end, the question is what would convince you that someone who claims to be danielsh is in fact danielsh; and which people who are already connected to the Web of Trust would be able to be convinced that you are in fact the owner of the public key that bears your name. Cheers, Daniel (https://m.xkcd.com/1121/)