On 2024-10-13 08:58, Matěj Cepl wrote:
On Fri Oct 11, 2024 at 12:52 PM CEST, Michal Suchánek wrote:
if I understand this correctly intead of decentralized GPG infrastructure sigstore is a centralized service.
I don’t think it is only about centralization/decentralization (or at all). Just duck it and you get plenty of pages like [1] with a long list of gripes against PGP/GPG on purely technical basis.
I have also learned about the other alternative for GPG from the OpenBSD universe, signify [2], which may be more relevant for the operating system distribution. However, technical aspects of this religious war go a way over my head.
The network of GPG key servers has been effectively out of service for several years, since the DOS attack started around 2019 or 2020. Keys submitted to one server do not get propagated to other servers. For reference, google "DOS attack on GPG key servers". Example: https://gist.github.com/rjhansen/f716c3ff4a7068b50f2d8896e54e4b7e SKS Keyserver Network Attack: Consequences https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f SKS Keyserver Network Under Attack https://access.redhat.com/articles/4264021 CVE-2019-13050: Certificate spamming attack against SKS key servers and GnuPG I do not know what to use as an alternative, or if there is one. Package signing seems to be not very much affected, as long as we effectively use a single key server, not the network. -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)