On Sat, 2021-04-10 at 14:20 +0000, bo0od wrote:
what are you talking about? who uses PGP/GPG for a public ticket
tracking system?...
I do, Chris Marusich does, Léo Le Bouter does, Efraim Flashner does.
I probably could find some more examples in my mail archive somewhere.
Why shouldn't they use PGP? Signing e-mails with PGP allows the
recipient to verify the e-mails actually came from the supposed sender.
Remember, general discussion is done via e-mails on guix-devel@gnu.org,
bug reports are done via e-mails on bug-guix@gnu.org and NNN@debbugs.gnu.org
and patches are done via e-mails on guix-patches@gnu.org and
NNN@debbugs.gnu.org.
Practical use case:
* I want to test (and, if I were a committer, perhaps merge) one of the gnome
patch series (bug#47643, by Raghav Gururajan and revised by Leo Prikler).
* I look over the source code changes, and don't see any obvious nefariousity,
but perhaps I missed something ...
* I trust Leo Prikler not to introduce non-obvious nefariousity.
However, e-mail is an unreliable medium, so this patch series might be
modified
by an attacker on-route to my system (and the systems of other people) and
the
attacker might have introduced non-obious nefariousity.
* I know Leo Prikler signs patch series. The attacker cannot, however, so the
attacker sends the (forged) patch series unsigned.
* /me asks Leo Prikler why the patch series is unsigned.
* The attacker's evil plan is foiled!
Actually, IIRC, Leo Prikler does not sign patch series. It's just an example!
Also, regardless of whether PGP is used, the mangling messes up some headers
(DKIM, IIRC), leading to e-mails being marked as spam. IIUC, debbugs or the
mailing list software used to mangle messages, but that is now disabled for
(at least) that reason.
Greetings,
Maxime.