On 7/10/19 12:53 pm, Eli Schwartz wrote: > On 10/6/19 10:42 PM, Allan McRae wrote: >>> + if (( $(vercmp "$gpg_ver" 2.2.17) >= 0 )); then >>> + add_gpg_conf_option "$conffile" 'keyserver-options' >>> 'no-self-sigs-only,no-import-clean' >> >> Doesn't import-clean actually do what we want? Strips signatures from >> keys not in the keyring? Assuming users are not setting up the initial >> keyring by importing keys manually... > > Hmm, on second thought you're right. no-self-sigs-only will prevent the > main thing that annoys us, which is getting rid of sigs we want because > we have the WoT keys which match it. > > no-import-clean would return us to feature parity with the older gnupg > releases, but that's not the fundamental goal, and the only benefit it > would get us is being able to later on import a master key and have it > validate, which seems like an unlikely event. Anyway, it seems like > refreshing that key would re-acquire the cleaned signatures. > > Do you want to leave the import-clean setting out entirely, or take the > opportunity to start having the keyring be guaranteed to be cleaned? >
no-self-sigs-only,import-clean seems a good trade off as default