[pkg-gnupg-maint] Upstream request: Please use the default keyservers
Jonathan McDowell
noodles at earth.li
Mon Mar 2 19:38:31 GMT 2020
On Mon, Mar 02, 2020 at 10:20:54AM +0100, Andre Heinecke wrote:
> Hi Daniel,
>
> On Friday 28 February 2020 21:12:07 CET Daniel Kahn Gillmor wrote:
> > On Fri 2020-02-28 10:59:58 +0100, Andre Heinecke wrote:
> > Sorry about that. I've tried to keep this response short, but i failed
> > again :( I appreciate your followup.
>
> This is about decision power.
>
> You are taking our software and changing it. This is not about a Bug it's an
> opinonated decision. You are stealing the maintainership of GnuPG.
That's an extreme view of package curation as part of a Linux
distribution.
> You are not the maintainer of GnuPG, it's our decision which keyserver is
> default. That you claim the right to just overrule us is free software at its
> worst. We should not have to convice you that our Software does the right
> thing.
dkg is the only active maintainer of GnuPG within Debian. He is the
maintainer of the package there, and as a result gets to make decisions
about how that package works within Debian. It's a fact that a key that
is held within the Debian keyring is corrupted within the SKS network
and will result in a large download that has been known to make GnuPG
unhappy. That's something that's more likely to affect people using
Debian packages than the wider user base, and it's a decent reason to
make a more cautious choice of keyserver for the distribution package.
> Debian is happly patching away on GnuPG. Ok. But at this point where our own
> user experience on Debian is broken by your changes we have to take a stand.
> This is not a technical issue. You are simply overruling us.
This change is not one that the user is powerless to revert; a single
entry in ~/.gnupg/gpg.conf will set the preferred keyserver (and as
someone who runs a keyserver and has found the SKS network unreliable in
the past I don't know why you wouldn't nail your config to a known good
keyserver rather than accepting the default).
(I live dangerously and enable no-self-sigs-only as well because what's
the point of OpenPGP without the web of trust?)
> For now I still care a bit about debian and will stand up against you. It's
> probably hopeless but some core piece of software like GnuPG might stand a
> chance against even against profesional packagers that can spend their days
> writing long mails.
I care about Debian too, and use GnuPG within it, and I've found dkg to
be a responsive package maintainer who has proactively taken my bug
reports and passed them upstream, often with sufficient extra debugging
to narrow down exactly what the problem is.
J.
--
... "Unfortunately, no matter how good commercial software is, it gets
locked up in a tower, later archived to a dungeon, and its grave bears
no marker." -- adb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20200302/98ed8a00/attachment.sig>
More information about the pkg-gnupg-maint
mailing list