On Wed, 3 Jul 2019 05:06, r...@sixdemonbag.org said: > As I understand it the current list of targeted keys is myself, dkg, > Werner, Patrick, and Kristian. It is clear the attacker's goal is to
I am not yet affected except for these few thousand old xmas fun signatures. > Werner will no doubt be updating GpgOL as well. I am sorting out some other bugs and hope to get a release out next week. I tend to make --keyserver-options self-sigs-only the default to avoid importing possible crap from the keyservers. no-self-sigs-only should allow to revert for those who still want to receive updates from the anyway overloaded keyservers. A command to clean affected keys would also be useful but it might be better to get a new release out early than to implement a feature which needs quite some time taking testing. (https://dev/gnupg.org/T4591) What we can also do is to remove the default keyserver feature we introduced with 2.2. This means that anyone who wants to use a keyserver needs to pick one and not rely on defaults. The other thing I have in mind to actually add to 2.2 is to re-purpose --search-keys to update from WKD or DANE instead looking up at the keyservers. (T4599) > of OpenPGP is to verify package signatures; for the small fraction that > use it for email, Enigmail is the most dominant choice, with GpgOL a Frankly, I doubt that given the many users of Gpg4win compared to those of Linux desktops. But this is a different topic. > The real damage is going to be to people's workflows. A whole lot of > people are going to be impacted by these fixes and we can expect to need Actually not being able to fetch a key from the keyservers can improve security or at least avoid problems sending mails encrypted to the wrong key. (see my comment above on --search-keys). Shalom-Salam, Werner p.s. Why can't we have such problems at times when it is cold and rainy and you can anyway only sit at your desk ;-). -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users