Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PGP key ids to AUTHORS.rst? #23

Closed
tiran opened this issue Aug 8, 2013 · 7 comments
Closed

Add PGP key ids to AUTHORS.rst? #23

tiran opened this issue Aug 8, 2013 · 7 comments

Comments

@tiran
Copy link
Contributor

tiran commented Aug 8, 2013

How do you feel about PGP key ids in the AUTHORs.rst file? As security concerned citizens we should encourage people to use PGP/GPG, especially if somebody wants to report a bug securely.
@lvh
Copy link
Member

lvh commented Aug 8, 2013

Mostly a good idea, but shouldn't the entire file be signed (possibly as a consequence of a release)? Obviously, if the value isn't authenticated somehow, it's pretty trivial for an attacker to make N fake GPG keys :)

@hynek
Copy link
Contributor

hynek commented Aug 8, 2013

I don’t think we can solve this chicken-egg problem of trust. We could add finger prints for all I care, people using GPG will have to check the trust graphs anyway (but probably won’t).

@lvh
Copy link
Member

lvh commented Aug 8, 2013

Right: it's strictly better, but only if anyone actually ever checks a signature. (Or, if you trust github and only ever use github over HTTPS, git over ssh/https).

@tiran
Copy link
Contributor Author

tiran commented Aug 13, 2013

Please comment on the idea. I'm not particular happy with the redundancy of key id / fingerprint.

AUTHORS

  • Alex Gaynor alex.gaynor@gmail.com
    GPG key id: 0x125F5C67DFE94084
    GPG fingerprint: E27D 4AA0 1651 72CB C5D2 AF2B 125F 5C67 DFE9 4084
  • Hynek Schlawack hs@ox.cx
    GPG key id: 0x02E02344C6197B3C
    GPG fingerprint: 578A 0615 5FD5 FAAD 602E 3BDD 02E0 2344 C619 7B3C
  • Donald Stufft donald@stufft.io
    GPG key id: 0x6E3CBCE93372DCFA
    GPG fingerprint: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
  • Laurens Van Houtven _@lvh.io
    GPG key id: 0x8D2E6BACE6D6AAAE
    GPG fingerprint: 9B44 D92F FF0C C85A 34C3 6C3D 8D2E 6BAC E6D6 AAAE
  • Christian Heimes christian@python.org
    GPG key id: 0xC788C4C1D4550D45
    GPG fingerprint: BB97 AF8B C4E7 A5C0 D962 23D3 C788 C4C1 D455 0D45

Acquire GPG keys

You can download all keys with a single command::

gpg --keyserver pool.sks-keyservers.net --recv-key \
    0x125F5C67DFE94084 0x02E02344C6197B3C 0x6E3CBCE93372DCFA \
    0x8D2E6BACE6D6AAAE 0xC788C4C1D4550D45

@hynek
Copy link
Contributor

hynek commented Aug 14, 2013

Putting there both seems redundant. It’s either key id XOR fingerprint.

@public
Copy link
Member

public commented Aug 14, 2013

Having a file with a list of fingerprints in with no guidance on how the project intends you to use them for verifying things just doesn't seem very helpful on it's own. I guess the secure bug reporting issue may be the only case this is particularly useful right now, but then there should probably be some instruction in README.md on how to report security issues too?

@alex
Copy link
Member

alex commented Oct 22, 2013

We started including these (or at least I did :P), so this is done.

@alex alex closed this as completed Oct 22, 2013
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex @hynek @public @lvh @tiran