by tdjsnelling on 8/27/19, 5:01 PM with 30 comments
by jnbiche on 8/27/19, 5:52 PM
In any case, a keyservers job is not even to be some kind of source of trust, so all that really should matter is that it has a user's most up-to-date keys on it. Validating a key should come from web-of-trust or some secure second channel verification method (like listing your key ID on a TLS-enabled website).
by progval on 8/27/19, 6:52 PM
You could try splitting this big function into smaller functions to reduce the length of the code largest callbacks.
It also makes commits harder to read. eg. for https://github.com/tdjsnelling/dat-keyserver/commit/12fa3e83... a reader can't see easily what changed in the function, as every line's indentation was changed. (And the commit message does not explain what the bug was)
by fwip on 8/27/19, 6:20 PM
My understanding of this is that anyone with a copy of anything you've ever signed can revoke your key. I hope I'm misunderstanding.
by Leace on 8/27/19, 5:53 PM
Still, an interesting alternative for people who consider https://keys.openpgp.org too radical.