=== epod is now known as luk3yx
=== blahdeblah is now known as b8h
=== b8h is now known as blahdeblah
redarrowI would like to verify DSA key ID C9DE75B5 but can't find it on the regular key servers. This is the key used for signing of intltool-0.51.0.tar.gz from https://launchpad.net/intltool/trunk/0.51.010:10
cjwatsonWe may not have it; there's no requirement that a project owner upload a public key before they upload project files signed by it10:12
cjwatson(unlike PPAs)10:13
redarrowaparrently the user who uploaded the file is offline (at least the nick is not on freenode)10:14
redarrowwhat can I do to verify the archive?10:15
cjwatsonYou could ask them by email if they can upload the key10:16
redarrowcjwatson: I don't have access to my account right now... And the e-mail is locked.10:18
cjwatsonredarrow: you can find one in the ChangeLog file in the tarball10:19
cjwatsonwhich is hopefully still current10:20
redarrowcjwatson: thanks for the hint10:21
rbasakHow would you verify even if you could download the key? Are you hoping you have a trust path to it? If it's not on keyservers, that seems unlikely.10:24
redarrowrbasak: well verifying the signature of the archive with a key downloaded from an HTTPS website is better then nothing although far from good.10:26
cjwatsonYeah, without a trust path it really only gives you transport integrity (and maybe trust-on-first-use for future signatures by the same key)10:26
rbasakredarrow: but you downloaded the payload over HTTPS from the same site. If an attacker modified that, then you'd have to consider either the uploader's Launchpad credentials compromised, or Launchpad itself compromised. I don't see how getting the purported uploader's signing key from Launchpad defends against that. But sure, so long as you understand the implications ;)10:28
rbasakTOFU is a good point though. I do that all the time for publishers who sign but don't provide any means to bootstrap trust.10:29
redarrowrbasak: seems the key is available but the keyserver I choose is unavailable... pgp.mit.edu seems to have issues right now.10:42
=== kkeithle is now known as kkeithley
bobdradI'm having trouble logging into https://ubuntuforums.org/, it says my e-mail is invalid, but it is not. This seems to be related to SSO, I have not logged in via SSO previously.18:56
bobdradI have used that e-mail with the forums for years now.18:58
bobdradBut SSO does not like it, I suspect because it incorrectly identifies the domain as disposable.18:59
cjwatsonYou'll need to ask #canonical-sysadmin, sorry19:11
cjwatsonOr rt@ubuntu.com19:12
bobdradcjwatson: thnx21:48
=== lifeless_ is now known as lifeless

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!