[Pkg-gnupg-maint] Bug#725411: gnupg: gpg blindly imports keys from keyserver responses
Thijs Kinkhorst
thijs at debian.org
Fri Aug 22 11:41:20 UTC 2014
Hi Paul,
> tags 725411 + security
This bug has been fixed in GnuPG 1.4.17.
Although it's a good robustness and anti-keyring-polution measure, I don't
think it's an acute security issue in stable that needs to be fixed in a
DSA, because the threat model is unclear to me.
I think it's well understood that keyservers are not trustworthy per se
and that the web of trust is to be used to verify which keys are to be
trusted. If you need to rely on a keyserver not being rogue you've already
lost. Any key injected in such a download would still not pass web of
trust validation.
Cheers,
Thijs
More information about the Pkg-gnupg-maint
mailing list