a step in the right direction

Robert J. Hansen rjh at sixdemonbag.org
Mon Jan 15 23:45:49 CET 2018 

> Which would be step in the right direction when compared
> with the current situation.

... shutting down a keyserver network relied on by literally tens of
thousands of people, to say nothing about OS distributions, is a "step
in the right direction"?

Okay.  Fine.  Let's say you wave a magic wand and you're able to make
the keyserver network go away.  What are the immediate, *predictable*,
consequences?

First, people in bad places like Syria and Iran lose the ability to
easily get public keys for journalists in free countries.  The neat
thing about the pool is nobody knows exactly who all is in it.  Years
ago for some months I ran a covert keyserver to see how practical it
would be for people in hostile regimes: my keyserver was not part of the
public pool, but synced with it.  That's useful because a regime might
firewall off the entire pool, but so long as covert nodes exist the
whole of the network is still accessible even in information-controlling
regimes.

Second, your operating system -- if you're running something like a
Linux distro, or macOS using Homebrew, or heck, even Windows with
msys2/mingw -- *BREAKS*.  You can't get updates any more.  Let's look at
why, using the package manager in msys2/mingw/Arch Linux.  It's called
pacman.

In pacman, each package is signed by the package maintainer.  The
package maintainer's certificate is in turn signed by at least three
other pacman maintainer certs.  E.g., if you manage a package called
"fooblitzsky", you sign the fooblitzsky packages with your cert, and
three msys2 maintainers sign your cert.  This way, end users can be
confident that you, the maintainer, personally authorized this release,
and that you're trusted by the msys2 team.

Now that you've taken down the keyserver network, you go to install
fooblitzsky, and ... uh ... wait.  You can get the package, but you have
no way of getting the maintainer's cert to verify the package.

_Literally every major FOSS package manager breaks.  Updates become
impossible._

Let that sink in for a moment.

I don't think you understand anything about the ecosystem here.  You're
advocating burning down a _critically important part of the entire FOSS
landscape._

More information about the Gnupg-users mailing list