Re: Removal of SKS

To: Debian Release Team <debian-release@lists.debian.org>
Cc: sks@packages.debian.org
Subject: Re: Removal of SKS
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 16 Dec 2013 12:40:05 -0500
Message-id: <[🔎] 87a9g0zocq.fsf@alice.fifthhorseman.net>
In-reply-to: [🔎] 142fc2f0428.27a6.e04ee758f2dadc1889b5b423dda555f9@urbach.org
References: [🔎] 142fc2f0428.27a6.e04ee758f2dadc1889b5b423dda555f9@urbach.org

Sebastian Urbach wrote:
> I hearby request the removal of the sks package from all Distros /
> Platforms. The software does not work out of the box for at least 2
> years. There are multiple permission errors after the installation and
> obviously nobody is interested in fixing it. It does not matter if its
> stable / testing / unstable the errors are always present.

It sounds like you're referring to at least one release-critical bug against the
sks package, but i don't see anything reported in the normal place:

  http://bugs.debian.org/sks

I agree with you that it would be nice to improve an automatic setup,
but the way SKS is developed and deployed, we can't expect that to
happen realistically for all users (and indeed we wouldn't want to do
so).

For a standard SKS deployment that links to the public keyservers, the
usual setup is described in /usr/share/doc/sks/README.Debian.  It
involves the download of several GiB of data, and a rather lengthy
import process, before you can start to legitimately connect your server
to other peers in the main pool.  These are not things we want to do
automatically on package installation.

There are also legitimate use cases for an sks instance that does *not*
sync with the public pools, for example, to act as a key distribution
mechanism within a workgroup or small team, or for use as an entirely
private keyserver when testing software that interacts with keyservers
without pushing data to the public keyserver network.  It's not the
place for the debian packager to decide which of these scenarios the
administrator wants to deploy.

SKS itself is also quite problematic in terms of public deployment,
because of its blocking, single-threaded nature.  Responsible public
deployments need to be placed behind a reverse HTTP proxy, such as nginx
or apache or varnish.

 https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering

At the moment, sks in debian is up-to-date with upstream (1.1.4) for
sid, one of the debian maintainers (myself) is engaged in active
discussions with upstream (e.g. on the new #sks channel on freenode),
and the latest version of sks is available in wheezy-backports.

I'm not claiming there are no problems with sks, or with sks in debian.
There are many (including, sadly, probably many that haven't been
reported that i don't even know about).  The way to resolve these
problems is to report them clearly and specifically via the debian BTS,
so we can get them resolved.

There is no reason that i'm aware of to pull sks from any part of
debian.

Regards,

        --dkg

PS please CC me on replies to this message.

Attachment: pgpHZkDt8A7lz.pgp
Description: PGP signature

Reply to:

Prev by Date: Re: Removal of SKS
Next by Date: Processed: tagging 732314
Previous by thread: Re: Removal of SKS
Next by thread: Processed: tagging 732314
Index(es):
- Date
- Thread