Bug 32757 - Update GPG key of existing fd.org account (hellooooo?)
Summary: Update GPG key of existing fd.org account (hellooooo?)
Status: RESOLVED FIXED
Alias: None
Product: freedesktop.org
Classification: Unclassified
Component: Account Modification Requests (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: fd.o Admin Massive
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-31 05:40 UTC by Felipe Contreras
Modified: 2011-12-06 11:48 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
My GPG key (1.69 KB, application/pgp-encrypted)
2010-12-31 05:40 UTC, Felipe Contreras
Details
My GPG key v2 (1.69 KB, application/pgp-encrypted)
2011-12-01 10:58 UTC, Felipe Contreras
Details

Description Felipe Contreras 2010-12-31 05:40:46 UTC
Created attachment 41549 [details]
My GPG key

I don't have my old GPG available any more.

My account name is 'felipec'.
Comment 1 Felipe Contreras 2011-04-03 07:28:58 UTC
Ping.
Comment 2 Felipe Contreras 2011-06-06 13:00:01 UTC
2nd Ping.
Comment 3 Felipe Contreras 2011-08-06 09:10:18 UTC
3rd ping.
Comment 4 Felipe Contreras 2011-08-06 09:16:48 UTC
I am following the instructions here:

---
Requesting Modifications

If you want to add a GPG key to your account or get added to another project, this requires manual intervention. Go to Bugzilla and file a new bug. If you need to add a GPG key, assign it to freedesktop.org, component Account Changes; if you need to be added to a new project, assign it to that project (not freedesktop.org) for approval by the project maintainer. Project leaders will follow the same procedure as above to approve an addition request.
---

Who do I have to kill to get this done?
Comment 5 Felipe Contreras 2011-09-22 07:33:06 UTC
4th Ping.
Comment 6 Tollef Fog Heen 2011-11-09 08:34:01 UTC
Hi,

first, sorry for the massive delay in responding here.

is there any chance you could get some signatures on the key?  I'd rather not add keys without having any way to verify it's actually your key.
Comment 7 Felipe Contreras 2011-11-09 14:02:37 UTC
(In reply to comment #6)
> Hi,
> 
> first, sorry for the massive delay in responding here.
> 
> is there any chance you could get some signatures on the key?  I'd rather not
> add keys without having any way to verify it's actually your key.

Huh? How could it not be? The instructions don't mention any of that, but if you want, how about I encrypt a message with my private key, and I push it to my public_html directory in people fd.o. If I'm not me, and I'm able to do all that, there would be way more trouble.
Comment 8 Felipe Contreras 2011-12-01 10:58:29 UTC
Created attachment 54031 [details]
My GPG key v2

I would rather use this one.
Comment 9 Felipe Contreras 2011-12-01 11:03:59 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > first, sorry for the massive delay in responding here.
> > 
> > is there any chance you could get some signatures on the key?  I'd rather not
> > add keys without having any way to verify it's actually your key.
> 
> Huh? How could it not be? The instructions don't mention any of that, but if
> you want, how about I encrypt a message with my private key, and I push it to
> my public_html directory in people fd.o. If I'm not me, and I'm able to do all
> that, there would be way more trouble.

Helloooooooooooo?

Please see this signed message:
http://people.freedesktop.org/~felipec/update_gpg_key.txt

And these are the instructions in your wiki:
---
This page describes the mail interface, which assumes you have a GPG key attached to your account. If this is not the case, please file a bug on the Account Changes component in Bugzilla first, with your GPG key attached as a text/plain file, and noting the account which the key should be attached to. Please also make sure it's visible on the subkeys.pgp.net keyserver.
---
http://www.freedesktop.org/wiki/AccountMaintenance

Notice there's no mention of any key being signed. Also, I'm pretty sure my original key is not signed either.

Please, contact me by mail or whatever. It's very annoying to be unable to update my ssh key and being forced to carry the old one only for fd.o.
Comment 10 Tollef Fog Heen 2011-12-02 12:43:03 UTC
Please stop being abusive, you're getting less, not more attention that way.

While it is correct the referenced wiki page does not say anything about signing of keys, it also does not say anything about replacing keys so that procedure is undefined.

The signature on the file in your ~public_html is with your new, not your old key so that signature is worthless.  However, you've managed to get us the key in a manner which can actually be traced to your account, so I've updated it in the keyring now.
Comment 11 Felipe Contreras 2011-12-05 08:12:49 UTC
(In reply to comment #10)
> Please stop being abusive, you're getting less, not more attention that way.

Well, after *a year* of waiting, I'm not really sure what 'less attention' really means. But I'm not being abusive, I am simply raising a flag.

> While it is correct the referenced wiki page does not say anything about
> signing of keys, it also does not say anything about replacing keys so that
> procedure is undefined.

Perhaps, but what's the difference if no key was provided; at the end of the day it's updating the key, so the end result is the same.

> The signature on the file in your ~public_html is with your new, not your old
> key so that signature is worthless.

I know, but that's all I can do, because the old key is lost.

> However, you've managed to get us the key
> in a manner which can actually be traced to your account, so I've updated it in
> the keyring now.

Thanks.
Comment 12 Tollef Fog Heen 2011-12-06 09:20:54 UTC
(It's less than a year, not that it matters much).

That you're unable to see that your tone is abusive is something you'll have to work on yourself, there's not really much I can do about that.

The relevant difference between providing an initial key and a key at a later stage is one of getting a "fake" account vs getting access to somebody else's account.  I'm sure you're able to see why there is a major difference between those two cases.
Comment 13 Felipe Contreras 2011-12-06 11:48:38 UTC
(In reply to comment #12)
> (It's less than a year, not that it matters much).
> 
> That you're unable to see that your tone is abusive is something you'll have to
> work on yourself, there's not really much I can do about that.

Either that, or you are exaggerating the meaning of abusive.

> The relevant difference between providing an initial key and a key at a later
> stage is one of getting a "fake" account vs getting access to somebody else's
> account.  I'm sure you're able to see why there is a major difference between
> those two cases.

That's not it. Read the description:

> This page describes the mail interface, which assumes you have a GPG key attached to your account.

Presumably there are accounts that don't have a GPG key attached. Maybe very old ones, when this was not required, who knows.

So in this case there isn't any difference. If somebody gets access to somebody else's account that doesn't have a GPG key, that person will update it the key, and nobody will ask for a signature, and will be stolen. Exactly the same, the only difference is the starting point; an account that doesn't have a GPG key.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.