Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The new keys.openpgp.org service is a mitigation:

> keys.openpgp.org is a new experimental keyserver which is not part of the keyserver network and has some features which make it resistant to this sort of attack. It is not a drop-in replacement: it has some limitations (for instance, its search functionality is sharply constrained). However, once you make this change you will be able to run gpg --refresh-keys with confidence.



I know the folks behind this and I think they’ve approached it thoughtfully and realistically.

It’s using a modern OpenPGP implementation and language (Sequoia, Rust) which is a big win. Despite it being centralised, I’d encourage folks to have a look.

On that issue, SKS has become so troublesome to run that the number of peers has steadily decreased to the point where there are only 2 entities running the HKPS (“secure”) pool, so in reality SKS is centralised too, as well as unmaintained. Source: I run a key server and a key expiry reminder service.


Out of curiosity, which is more obscure: OCaml or Rust?


Probably OCaml. While it's been around much longer, it's never really reached mass acceptance (though does get used here and there). Rust is newer but I'd estimate it's already more used, and its adoption in industry is growing quite quickly.

This is probably to do with the fact that OCaml doesn't necessarily solve any problems that are apparent to businesses, whereas Rust solves the very apparent "manual memory management makes massive vulns trivial" problem.

I'm not sure which language is actually more approachable for someone trying to learn it from scratch though.


OCaml is very popular in academia though, especially in the field of theoretical computer science and formal verification. Coq, Frama-C, Flow, CompCert, etc are all written in OCaml. Heck, if you are running a graphical GNU distribution chances are that you have installed FFTW, which is written in OCaml. The "industry" is not the only thing that matters when considering the adoption of a language.


Also a Mirage OS/unikernel, BAP and BinCat binary analysis frameworks, Facebook Infer source-level static analyzer, etc.


Reason (the frontend framework/language by Facebook) is OCaml.


Have you used Reason for anything serious? How was it?


Particularly if your talking about a quasi-adademic PGP community.


Fun fact: Rust’s initial implementation was in OCaml.


Right? I was reading about this and thinking "hey, maybe technically sound but less well-known languages like OCaml or Rust are not always a good choice".


The question is not obscurity, the question is security. And there ocaml wins by miles over rust.


Are you talking about the compiler itself? Or the tooling and the libraries that you have to deal with when you try to actually use the language?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: