Hi Bruno, Bruno Haible <[email protected]> writes:
> Collin Funk wrote: >> > * Even with a configured keyserver that is still operating, such as >> > hkps://keys.openpgp.org, the problem with keyservers is that >> > anyone can upload a fake GPG key for a given package maintainer.[1] >> >> That is the case for typical keyservers. But uploading a key on >> keys.openpgp.org requires you to accept a verification email. Without >> doing that they key will not be added. So unless a person has access to >> your email, they cannot upload a fake key. At least that is what I >> remember from uploading my key over a year ago [1] > > I confirm. I even got two verification emails, one with a link of the form > https://keys.openpgp.org/upload/... and one with a link of the form > https://keys.openpgp.org/verify/... . > > This changes the situation. If at least keys.openpgp.org is a trustworthy > key server: I think it is trustworthy. And upon further investigation it runs on free software. The software the server runs is AGPLv3+ [1], SKS is/was GPLv2+. The only worry that I would have is future divergence between the OpenPGP and LibrePGP standards [2][3]. Since keys.openpgp.org is maintained by the Sequoia PGP developers who wrote RFC 9580 they will prefer that standard. But due to some disagreements that I do not know the history of, GnuPG does/will not conform to that standard. Instead it conforms to the LibrePGP standard. It would certainly be annoying if 'gpg' did not understand keys from that key server (generated by 'sq') or the key server did not understand keys generated by 'gpg'. But I do not know enough about PGP to know if/when that issue will arise. > * The release announcement template (maintained in gnulib) should > mention > gpg --keyserver hkps://keys.openpgp.org --recv-keys ID > instead of > gpg --recv-keys ID > > * In maintain.texi we should keep the cited paragraph, replacing only > 'keys.gnupg.net' with 'hkps://keys.openpgp.org'. Yep, we would need the explicit --keyserver argument in all cases. Collin [1] https://gitlab.com/keys.openpgp.org/hagrid/-/blob/7532ff4b22c49efff95c3043e983e0c7948e38e2/COPYING [2] https://datatracker.ietf.org/doc/rfc9580/ [3] https://datatracker.ietf.org/doc/draft-koch-librepgp/
