[pkg-gnupg-maint] Upstream request: Please use the default keyservers
Gunnar Wolf
gwolf at debian.org
Tue Mar 3 16:18:48 GMT 2020
Hello Andre and others,
I am chiming in to this discussion as I think it just highlights a
symptom, not a wrong decision — Neither by dkg nor by the GnuPG
developers.
We GnuPG users are usually a bunch of privacy freaks, and I completely
understand your issue about giving all of our queries to one
centralized party. I also understand dkg's rebuttal, in that GnuPG's
status quo also gives it to a(nother) centralized party.
As yet-another-sks-operator, I can also assert that sks, the main
software for operating hkps servers, is too brittle. Attempts at
improving it have been sketched out, but not yet deployed. Many
reliability issues have been reported over the years, and has led to
several people to decommission the resources they devoted to keeping
the keyserver network alive. How many have dropped? Well, just look at
the SKS status page... The amount of red (of servers that used to be
part of the network but have dropped or are having reliability issues
keeping them from being considered) is disheartening:
https://sks-keyservers.net/status/
176 dropped servers against 31 still in the pool ☹
So, the choice now is between two suboptimal solutions — A brittle
service that has become centralized due to peers stopping work, and a
centralized service that limits the information it provides in ways
some people find to break some workflows.
As to why dkg made this choice, which is partially answered by
Jonathan's mail: Distributions _often_ deviate from upstream behavior
to better suit their users' expectations. Debian aims to work reliably
for all kinds of users who are probably not aware of the specifics of
all programs installed; GnuPG is often not used by the end users
themselves, but by programs querying on their behalf. We cannot expect
them to always understand why a query takes so long, and they will see
timeouts as defects. As to publishing keys, by far, overwhelmingly
most users that create keys, they use them tied to an e-mail
identity.
There will always be users with use cases like yours — Given it
requires *knowing the tools* in a more intimate way than most, it is
not out of place to ask for them to read a bit more, and change the
default settings.
GnuPG upstream authors cater by default to people who *care*, who know
their ways, who knowingly use and tweak the tool in question. Yes, you
do care for other users... but you will most likely interact with
people like dkg than with typical end-users. FWIW, I am quite an
advanced GnuPG user, and I most often go through my trusted Debian
developer instead of reaching out to you. dkg has rescued me more than
once (or told me I'm beyond salvation). Of course defaults will be
different between GnuPG's worldview and Debian's!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20200303/f0f29582/attachment.sig>
More information about the pkg-gnupg-maint
mailing list