evaluate possible options for OpenPGP keyring maintenance
Many tickets here are about maintaining the various keyrings required for daily operations at Tor. A few examples include new keys, expiration updates and so on: #27748 (closed) , #27748 (closed), #27726 (closed), #27600 (closed), #28891 (closed), #28150 (closed), #28138 (closed), #29455 (closed)... but there are literally hundreds of such tickets.
Those keys are currently stored in many different locations:
- a fingerprint in LDAP
git@git-rw.torproject.org:admin/account-keyring.git
ssh://alberti.torproject.org/srv/db.torproject.org/keyrings/keyring.git
- TPA password manager also has its own keyring subset (see also #29677)
- torbrowser signing keys (duplicated in LDAP, see e.g. #28306 (closed))
- TPO main website's people page sometimes has people's keys, sometimes links to LDAP (tpo/web/tpo#332)
All of this makes key maintenance and discovery difficult. Investigate possible alternatives, including Debian packages (like the one used by debian-archive-keyring), a private keyserver, gpgsync, monkeysphere, openpgp-ca, or a flock of unicorn. ;)