[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DebConf18: Call for keys for keysigning in Hsinchu, Taiwan

On Sun, Jun 24, 2018 at 1:05 PM, Gunnar Wolf <gwolf@gwolf.org> wrote:
> DebConf18: Call for keys for keysigning in Hsinchu, Taiwan
>
> As part of the Debian Conference (DebConf18) that will be held in
> Hsinchu, Taiwan, there will be OpenPGP (pgp/gpg) keysignings. If you
> intend to participate in the DebConf18 keysignings, please send your
> ascii armored public key as explained at [0] no later than 23:59
> UTC/GMT/Zulu on Sunday 22 July 2018. I'll start processing keys after
> a day or two.
>
> More (and up-to-date) information is available at [0], so keep
> watching it.
>
> [0] http://people.debian.org/~gwolf/ksp-dc18/ksp-dc18.html
>
> If you have questions please send them to the mailing list at
> debconf-discuss@lists.debconf.org.  If you don't want to post to the
> mailing list, send your questions to dkg@debian.org, gwolf@debian.org
> and noodles@debian.org.

Thanks for organizing this keysigning event, every year!

However, I find the guide a bit outdated.

- It mentions "OpenPGP Best Practices", but the document declare
itself outdated, which was written for GnuPG 1.4. [0]
  The updated document, which is for GnuPG 2.1,  is still on-going status[1].
  I think many of us have already migrated to GnuPG 2.1, which is
default since Stretch. so it's worth being noted this.

- It recommends hopenpgp-tools for key checking, but it cannot work
well with GnuPG 2.1 [2].

- If user don't configure a working MTA, it's hard to send out the
email. Especially for new contributor.
  There're many reasons not to set up a working MTA. I know it's
possible to setup exim4 as smarthost [3], but .. personally, I don't
like to be flooded by notice, such as cron job of my own machine
everyday. And I don't like my gmail credential being saved as plain
text in system.
  So what I recommend is using msmtp, which already works well with
caff [4][5]. In this way, the gmail credential can be saved as
encrypted file by GPG, and got decrypted on-the-fly when you send
email [6].
  After set msmtp up, we can use almost the same command as sendmail,
just replace sendmail with msmtp:

====
(echo -e "To: gwolf@debian.org\nFrom: Your Full Name
<name@example.org>\nBcc: name@example.org\nSubject: KeySigning Party @
DebConf18\n"; gpg --armor --export-options export-clean,export-minimal
--export 0xfedcba9876543210 0x0123456789abcdef | gpg --local-user
0xfedcba9876543210 --clearsign --local-user 0x0123456789abcdef
--clearsign) | msmtp -t
====

Maybe we can discuss how to improve this during my stay in DebCamp / DebConf.

See you around!

[0] https://riseup.net/en/security/message-security/openpgp/best-practices#how-to-use-this-guide
[1] https://github.com/riseupnet/riseup_help/issues/451
[2] https://bugs.debian.org/868769
[3] https://wiki.debian.org/GmailAndExim4
[4] https://wiki.debian.org/caff#Requirements
[5] https://wiki.debian.org/caff/msmtp
[6] https://wiki.debian.org/msmtp

Cheers,
-- 
Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1
Reply to: