a step in the right direction

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jan 16 15:54:07 CET 2018


On Mon 2018-01-15 17:45:49 -0500, Robert J. Hansen wrote:
> _Literally every major FOSS package manager breaks.  Updates become
> impossible._

while i agree with rjh that destruction of the current SKS-based
keyserver network (either by technical or legal means) would today be a
net loss, this statement goes too far.

the debian package manager does not directly use the keyserver network,
and debian archive signing keys are themselves distributed as debian
packages.

the keyservers can occasionally be used as a way to find updated keys
for a system that has been offline for years, to "re-bootstrap" the
package manager, but dpkg and apt are certainly not reliant on the
keyserver network to do their thing.

Third-party repositories also do not need the keyservers to function
properly, if they're configured in a sensible way:

    https://wiki.debian.org/DebianRepository/UseThirdParty

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180116/ffdd2f52/attachment.sig>


More information about the Gnupg-users mailing list