[10:10] <redarrow> I would like to verify DSA key ID C9DE75B5 but can't find it on the regular key servers. This is the key used for signing of intltool-0.51.0.tar.gz from https://launchpad.net/intltool/trunk/0.51.0
[10:12] <cjwatson> We may not have it; there's no requirement that a project owner upload a public key before they upload project files signed by it
[10:13] <cjwatson> (unlike PPAs)
[10:14] <redarrow> aparrently the user who uploaded the file is offline (at least the nick is not on freenode)
[10:15] <redarrow> what can I do to verify the archive?
[10:16] <cjwatson> You could ask them by email if they can upload the key
[10:18] <redarrow> cjwatson: I don't have access to my account right now... And the e-mail is locked.
[10:19] <cjwatson> redarrow: you can find one in the ChangeLog file in the tarball
[10:20] <cjwatson> which is hopefully still current
[10:21] <redarrow> cjwatson: thanks for the hint
[10:24] <rbasak> How would you verify even if you could download the key? Are you hoping you have a trust path to it? If it's not on keyservers, that seems unlikely.
[10:26] <redarrow> rbasak: well verifying the signature of the archive with a key downloaded from an HTTPS website is better then nothing although far from good.
[10:26] <cjwatson> Yeah, without a trust path it really only gives you transport integrity (and maybe trust-on-first-use for future signatures by the same key)
[10:28] <rbasak> redarrow: but you downloaded the payload over HTTPS from the same site. If an attacker modified that, then you'd have to consider either the uploader's Launchpad credentials compromised, or Launchpad itself compromised. I don't see how getting the purported uploader's signing key from Launchpad defends against that. But sure, so long as you understand the implications ;)
[10:29] <rbasak> TOFU is a good point though. I do that all the time for publishers who sign but don't provide any means to bootstrap trust.
[10:42] <redarrow> rbasak: seems the key is available but the keyserver I choose is unavailable... pgp.mit.edu seems to have issues right now.
[18:56] <bobdrad> I'm having trouble logging into https://ubuntuforums.org/, it says my e-mail is invalid, but it is not. This seems to be related to SSO, I have not logged in via SSO previously.
[18:58] <bobdrad> I have used that e-mail with the forums for years now.
[18:59] <bobdrad> But SSO does not like it, I suspect because it incorrectly identifies the domain as disposable.
[19:11] <cjwatson> You'll need to ask #canonical-sysadmin, sorry
[19:12] <cjwatson> Or rt@ubuntu.com
[21:48] <bobdrad> cjwatson: thnx