[Dev] parabola-keyring and web of trust Was: Re: ISO release 2013-03 and related issues

Nicolás Reynolds fauno at kiwwwi.com.ar
Thu Mar 21 21:15:27 GMT 2013

Esteban Carnevale <alfplayer at mailoo.org> writes:
> * GPG keys for pacman
> Upgrades of parabola-keyring are too verbose now. Do we avoid using
> any kind of master keys? To do this, we would remove
> parabola-keyring. To install a package by a packager which is not on
> the keyring, the user would download the key from a public key server
> (pacman can do this), verify the key and sign it (using pacman-key).

we've been discussing this in the channel for quite some time now.  i've
made a graph of the pacman-signatures[0] using sig2dot[1] so we can see
why it's failing.  the original is 11M so i resized it a bit.

there're two webs of trust.  the big one is archlinux-keyring, the small
one is parabola-keyring.  thing to notice:

* there're two wots because there're no shared sigs between arch devs
  and parabola hackers :c

* the master keys approach of arch produces a highly centralized wot

* every arch-dev key has at least three signatures from the master keys

* most parabola hackers only have a signature (from jorginho)

in conclusion, to start fixing things up we need to start signing each
others keys.  any parabola hacker must have at least three sigs from
other hackers.  new keys (meaning new hackers) should start releasing
packages after being signed off by other three hackers.

sign three other hackers!

i've made some tests and the keys that `pacman-key --populate parabola`
asks me to sign locally every time are: 

Esteban Carnevale <alfplayer at lavabit.com>
Jorge Araya Navarro (mi llave PGP :D) <jorgean at lavabit.com>
Daniel Martí <mvdan at mvdan.cc>
Nicolás Reynolds <fauno at kiwwwi.com.ar>
Charles Roth (hacking email) <encycl at a2c3.co>
Brendan Scot Tildesley <brendan at tiddles.me>
Márcio Silva <coadde at lavabit.com>
André Silva <emulatorman at lavabit.com>
Jorge López <jorginho at lavabit.com>
Joseph Alexander Yaworski Jr. <jy at dervormund.info>

(there's something else here, because alfplayer has sigs that don't
appear on the keyring!)[2]

[0]: http://ompldr.org/vaHU5cQ/haiti.png and zoom:

[1]: http://www.chaosreigns.com/code/sig2dot/ command is `sudo
     pacman-key --list-sigs | perl sig2dot.pl | neato -Tpng -o

[2]: http://pastie.org/private/lro7ybenor8xmhy9luu8yq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20130321/ec282c64/attachment.sig>

More information about the Dev mailing list