Bryans pgp #125
Bryans pgp #125
Conversation
hasufell
force-pushed
the
bryans-pgp
branch
from
b13856f to
2427274
Compare
hasufell
force-pushed
the
bryans-pgp
branch
from
2427274 to
3144820
Compare
|
@chreekat any progress with the cross signing? |
|
It seems there's no progress/interest. Thus I'm closing this. |
|
Reopening because I am, in fact, interested. No visible progress was caused by having other priorities and no clear understanding of deadline here. If you do want to specify a deadline, please do so :) |
|
Well, I just spent an hour getting back up to speed on how PGP works. Then I spent another 15 minutes trying to explain why I'm not convinced it's a good use of my time. But maybe I don't need to try to convince anybody of anything. Suffice to say, I don't think it's a good use of my time, so I will indeed close this issue. I'm open to hearing explanations why signing the metadata is important or how cross-signing the keys without in-person confirmation of fingerprints adds any value, but until then... Oh, another thing: What rights and responsibilities would come with having my key in the list of allowed keys? I sorta thought it was just to allow me to sign my own contributions if I were to do another GHC release at some point. Was that correct? |
Because nothing guarantees the authenticity. HTTPS does not. Github does not, haskells download server does not. That's why GHC developers sign all bindists, that's why distributions use pgp keysigning for their metadata (check gentoo etc.). The security propagates through the implicitly signed SHA256 hashes.
We can do in-person cross signing at Zurihac.
It means unless you provide the required steps wrt pgp, you don't have write access to this repo, but will have to go through Ben or Zubin when doing post release steps that involve ghcup. That is not negotiable. Feel free to ask/discuss with the security response team. An issue was opened here: haskell/ghcup-hs#858 |
My concern is that I don't trust the rest of the system to generate something worth authenticating with PGP. Not that I think there's any glaring holes in the system. I just worry it gives a false sense of security at the high cost of making automation harder. But ok, I'll drop that for now. I'm still willing to get added, however. I assume you still want to wait for cross-signing first? I'm more than happy to do an in-person cross-signing some time. A video call would also be fine for me since I've met all of you in person. |
Automation isn't the primary concern of redistribution, IMO. Also note my comments in the docs: https://www.haskell.org/ghcup/guide/#gpg-verification
So far, no one has contacted me. But that's irrelevant. The docs make clear how to do it properly. It's a sign that GHCup takes security seriously, even if no one makes use of it. If there's a better system, that doesn't require building offline trust, please point me to it. But I don't think there is.
Yes.
You think a video call is enough in light of recent developments in AI? 🤔 |
Lol, good point :P |
|
I'll cross-sign my key with any other Zurihac attendees who are in the file (@bgamari , @Kleidukos , @wz1000 ?) |
@bgamari @wz1000
Related: haskell/ghcup-hs#889