On Mon, Feb 04, 2019 at 07:27:32PM -0600, Daniel Kahn Gillmor wrote:
the keyserver network is, sadly, showing its age. Its flaws have been known within the community for years, and a few proposals have surfaced for offering a replacement, but the sks software is difficult to maintain (idiosyncratic ocaml) and deploying larger changes in a coordinated way across a globally-syncing network is even more difficult. :(
On Mon 2019-02-04 17:00:56 -0500, Roger Dingledine wrote:
Thanks Matt. I've been answering a couple of people a day in #tor who are confused by this issue. As a stopgap, I've changed the instructions page: https://www.torproject.org/docs/debian to point people to a keyserver that doesn't (currently) have this bug.
hm, this documentation is still out of date. modern best practices would not involve using "apt-key add -", but instead use a Signed-By option (see sources.list(5)) that point to an otherwise untrusted curated keyring.
That sounds great.
Ultimately, I wonder if we should start providing a full keyring (text file) that people can download from our website and import for themselves.
you can see a good writeup by anarcat here of modern best practices for a debian repository anchored by such a downloaded key:
https://wiki.debian.org/DebianRepository/UseThirdPartyIf you want to get even smoother, other projects just ship a *-archive-keyring package directly in debian itself, which enables pretty easy expansion from mainline debian to a third-party repository, without the local user having to do any manual cryptographic verification.
I don't know if the sysadmin team already considered this, and decided against it for some reason. It sure would be nice having a simpler process for this.
I don't think anyone would object to tor-archive-keyring in debian. If anyone's interested in doing this, please let me know, i'd be happy to provide some guidance on the safest way to do this for versions of debian starting with the current stable ("stretch").
--dkg
tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project