Hi Paul, > tags 725411 + security
This bug has been fixed in GnuPG 1.4.17. Although it's a good robustness and anti-keyring-polution measure, I don't think it's an acute security issue in stable that needs to be fixed in a DSA, because the threat model is unclear to me. I think it's well understood that keyservers are not trustworthy per se and that the web of trust is to be used to verify which keys are to be trusted. If you need to rely on a keyserver not being rogue you've already lost. Any key injected in such a download would still not pass web of trust validation. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org