Is there a specific reason for having to wait 3 days after changing my GPG key?


#1

I would like to know the reason for this decision, since I see this as more of an annoyance than anything else. I don't believe that such a long delay has any security benefit at all.

I've uploaded a new key (since I've lost the original one), because I wanted to upload a new plugin I've been intensively working on for the past two days and this is seriously annoying.


#2

Because 3 days is probably the upper end of a completely normal absence from Sponge due to lack of time or interest or whatever. And the security benefit is someone can't upload some random key to your account post-hacking and immediately start signing and distributing plugins from a trusted source. It's not a long wait by any metric of security.
This is like asking why you need ownership paperwork to hire a locksmith. It's inconvenient to gather it, especially while locked out, but you'd much rather it be required than otherwise, and the whole thing is avoided if you don't lose your keys.


#3

Well, I guess it does make some sense, but I think the wait time should be at least somewhat shorter if not completely absent if 2FA is enabled.


#4

It's to make it horribly annoying to ever put anything up on Ore.

Tbh it's the reason why my projects aren't on it.


#5

Could we just have it disabled. If someone seriously wanted to compromise someone's account and upload a virus plugin, they're going to just change the GPG key anyway. All it really will do is inconvience developers rather than protecting from the false threat of hackers at the moment. And yes, if we have 2FA we shouldn't have to do the GPG file crap because honestly it's a pain to do, especially since you have to keep track of your master file


#6

I personally don't find it an inconvenience... and rather like knowing anything I download from sponge is free from issues. This is one of those, do it once and forget it things.


#7

Do it once, lose your file and lose ability to upload plugin updates for a few days.


#8

Yeah... that's not a good thing. Your private key is supposed to be one of the most important things you maintain on your computer. :wink:

Since I set it up once, it's easy for me to build any plugins. I just add the maven-gpg-plugin and away it goes! No additional effort. First time setup took very little time as well, so that's a perk.


#9

May I ask you if that's listed anywhere in the documentation at all for sponge plugins and ore?


#10

p. much

edit: is are? kek


#11

Lol.

Well, we could at least do the curtosy of explaining how to set that up in a sponge project rather than going "screw you figure it out yourself on mavens website" in the docs.


#12

... as opposed to "screw you figure it out yourself on sponge's website"? Projects use their own documentation - why would Sponge copy and paste documentation to their website when they can just as easily link you to the relevant, actively updated one maintained by the creators? There's nothing special about a 'sponge' project, it's just a regular project, fully within the use cases of both.

For zero configuration, try flavor.pie.promptsign on Gradle.


#13

But still, it's not a "regular" thing to be doing when you're building a plugin so not everyone's going to figure out how to get that plugin even working properly from a page on an external website. It's usually helpful to have your own locally hosted tutorials for that kind of thing, even if it's really close to the other site


#14

Well, that was just my opinion. If you want that of the relevant people, submit the relevant PR. :stuck_out_tongue:


#15

I've always been too lazy to do that kind of thing :stuck_out_tongue: