Bruno Haible <[email protected]> writes: > Collin Funk wrote: >> Should that section just be removed from the manual? > > Yes, for the moment, this seems to be the right thing to do, because: > > * Even with a configured keyserver that is still operating, such as > hkps://keys.openpgp.org, the problem with keyservers is that > anyone can upload a fake GPG key for a given package maintainer.[1]
That is the case for typical keyservers. But uploading a key on keys.openpgp.org requires you to accept a verification email. Without doing that they key will not be added. So unless a person has access to your email, they cannot upload a fake key. At least that is what I remember from uploading my key over a year ago [1], which I needed for copyright assignments. > * The release announcements that we make on info-gnu contain > instructions how to retrieve the GPG keys from the GNU keyring.[2] Yes, that keyring seems to be the most trustworthy to me. > * According to Simon Josefsson, the replacement for the keyservers is > that users should fetch the GPG keys from various locations. [3] > This can be the package maintainer's Savannah account or home page, > for example. But this is hard to formalize in the Maintainers' Guide. Yep, I was going to say that one has to remember to manually edit announcements or output from 'announce-gen' to point to the key on their page [2] or savannah profile [3]. But it seems Darshit Shah and Simon already added the --gpg-keyring-url option to 'announce-gen' to deal with this [4]. Collin [1] https://keys.openpgp.org/vks/v1/by-fingerprint/2371185508D1317BD578E5CC8CE6491AE30D7D75 [2] https://collinfunk.com/8CE6491AE30D7D75.asc [3] https://savannah.gnu.org/people/viewgpg.php?user_id=354732 [4] https://lists.gnu.org/archive/html/bug-gnulib/2022-03/msg00022.html
