__Sander__ has quit [Quit: Konversation terminated!]
<gchristensen>
gpg is so hard to use
<gchristensen>
I'm tempted to stop signing commits just out of protest
<gchristensen>
I can't expect people to put up with that
<ekleog>
well, it's awfully hard to setup, not to use (once the setup is done)
<ekleog>
at least I just press the button on my yubikey at each `git co`
<gchristensen>
it takes maintenance, and moving computers is hell
<gchristensen>
I'm not sure I have the skills to safely maintain a gpg identity
<Foxboron>
gchristensen: Getting a HW token helps a lot. But i recommend sticking with GPG for security-related work
<gchristensen>
(I mean, I know, Foxboron
<gchristensen>
but I think I'd rather go to the dentist than do any sort of GPG stuff
<Foxboron>
Heh. yeah. It's tedious.
<gchristensen>
it is actually terrifyingly dangerous
<gchristensen>
not tedious
<gchristensen>
for example, I just setup WKD for my key for someone
<gchristensen>
it is super wild that instead of picking a sha1 encoding which every standard tool on the planet supports, they picked a different one which many fewer tools support
<gchristensen>
specifically, Z-Base-32 method as described in [RFC6189], section 5.1.6.
<Foxboron>
Ah, i have actually not looked at WKD
<gchristensen>
it is really wild that instead of ascii armored files at those locations, they chose to require binary outputs
<gchristensen>
know whats super cool about ascii armor which is substantially harder to replicate with the binary option?
<gchristensen>
-----BEGIN PGP PUBLIC KEY BLOCK-----
<ekleog>
gchristensen: WKD is supposed to be setup by pros and used by users, so it kind-of makes sense
<ekleog>
as for the sha1 encoding… do we speak of nix's encoding? :D
<gchristensen>
it does not make sense
<ekleog>
well, your mailbox provider is expected to setup WKD and give you some nice WebUI where you copy-paste your armored key
<gchristensen>
hah
<ekleog>
except when you're your own mailbox provider, in which case you're supposed to be a pro :p
<gchristensen>
that can't be the assumed case
<gchristensen>
the vast majority of mailbox provider isn't the one maintaining the web root for the domain
<ekleog>
heh, there already is a WebUI for mails, so one more one less
<gchristensen>
yeah, but the well-known directory for WKD is grahamc.com/.well-known, not mail.google.com/.well-known
<ekleog>
WKD is actually one of the rare parts of OpenPGP that I don't find completely broken
<ekleog>
oh that's because you have a MX to google.com, right?
<gchristensen>
right, and so do most other domains (if not MX to google.com, MX to 3rd-party-mail-host)
<gchristensen>
if WKD is "one of the rare parts of OpenPGP that I don't find completely broken" let's throw it in the garbage, WKD isn't valuable enough to keep around.
<gchristensen>
if WKD is "one of the rare parts of OpenPGP that I don't find completely broken" let's throw it in the garbage, WKD isn't valuable enough to keep the rest of it around.
<ekleog>
heh, I didn't say it's valuable enough to keep OpenPGP alive
<ekleog>
the only thing keeping OpenPGP alive is network effects
<gchristensen>
then I'll be doing my part by not signing commits :)
<ekleog>
that, and the fact that even though most of it is pure garbage, there's just no better alternative
<ekleog>
well, I'd love it if you signed commits with something better than OpenPGP… not signing commits at all sounds like an overall loss to me :'(
<ekleog>
anyway, your life your choices :)
<gchristensen>
(I won't stop signing commits, but I very badly want to)
<ekleog>
(oh well then I completely understand you, and really hope for something better to come along! :))
<gchristensen>
actually, I might stop using gpg for git.