[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Check for revocation certificates before running apt-get?

On Sun, Dec 15, 2013 at 12:17 AM, Paul Wise <pabs@debian.org> wrote:
> That would probably be fine for most Debian users but at that point I
> remembered that the Riseup OpenGPG best practices document has
> something to say about keyring refreshes; that keyring refreshes
> should happen using parcimonie to make correlation attacks harder.

This thread is probably not the most apropos place to bring this up,
but I've found parcimonie to be an terribly over-complex
implementation of the (good) design document that they wrote. It
requires pulling in dozens of perl modules, including GTK bindings
(?).

It worries me that it's starting to become the defacto tool for
keeping a keyring up-to-date, because security is one of the places
where minimalism really matters.

-- 
Darius Jahandarie
Reply to: