Hello Charles, thanks for the hint - I changed the instructions for the Debian section to use the key fingerprint. The change should propagate to CRAN
https://cran.r-project.org/bin/linux/debian and its mirrors soon. Best regards, Johannes Am Sonntag, 4. September 2016, 10:03:16 schrieb Charles Plessy: > Hi Michael and Dirk, > > there are raising concerns that, as of today's computing power, an attacker > can generate a GPG key that has the same short ID as a target key. In this > situation, it may be possible that a user downloads and trusts the > attacker's GPG key, and as a consequence installs malware. > > For that reason (better explained in http://lwn.net/Articles/697417/), it is > recommended to use long IDs or even full fingerprints. I am therefore > suggesting to update the instructions at > <https://cran.rstudio.com/bin/linux/ubuntu/>. > > s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/ > > (Note that I tested only in Debian Stable, which is one year older as > Trusty, so it might be good to doublecheck on a Trusty system that it works > as expected.) > > Have a nice day, > > Charles _______________________________________________ R-SIG-Debian mailing list R-SIG-Debian@r-project.org https://stat.ethz.ch/mailman/listinfo/r-sig-debian
