On Thu, Aug 21, 2014 at 08:58:14AM +1000, Aníbal Monsalve Salazar wrote: > > https://people.debian.org/~anibal/ksp-dc14/ksp-dc14.txt > > After downloading the files, check the signatures and then the sha256 > > hashes. > > The webpage at [0] explains how to do that. > > [0] https://people.debian.org/~anibal/ksp-dc14/ksp-dc14.html > The encoding for the .txt files is ISO-8859-1. > Next year it will be UTF-8. How was this file produced? caff (from signing-party) has support for reading an annotated gpgparticipants file as input for ease of signing. But the file that was provided for this KSP does not match the format expected by caff (nor the format generated by current versions of gpgparticipants). It's a real shame that year over year we aren't getting any better at using the tools available for running key signing parties efficiently and instead continue to rely on lots of annoying manual verification and transcription of checksums on the part of party participants. It's also a shame that you are publishing supplementary files as part of the ksp prep that have no relevance to the cryptographic protocol in effect (such as the condensed file, which is insufficiently condensed for reasonable printing because it contains information that's superfluous for note taking, and useless for the actual verification protocol because it lacks crucial information *and* is not the file we exchange checksums on). Publishing these supplemental files can only mislead participants into using them in ways that they should not. For next year, please correct this. Publish only the keyring file and the gpgparticipants output - no superfluous detached signatures, checksum files, or extra "condensed" text files - and ensure that they work with the signing-party suite, so that we're able to leverage the work done on producing small and auditable tools for KSP protocols instead of relying on excessive and unacceptable amounts of manual and error-prone work on the part of KSP participants. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature