[Pkg-gnupg-maint] Bug#725411: gnupg: gpg blindly imports keys from keyserver responses

Thijs Kinkhorst thijs at debian.org
Fri Aug 22 11:41:20 UTC 2014


Hi Paul,

> tags 725411 + security

This bug has been fixed in GnuPG 1.4.17.

Although it's a good robustness and anti-keyring-polution measure, I don't
think it's an acute security issue in stable that needs to be fixed in a
DSA, because the threat model is unclear to me.

I think it's well understood that keyservers are not trustworthy per se
and that the web of trust is to be used to verify which keys are to be
trusted. If you need to rely on a keyserver not being rogue you've already
lost. Any key injected in such a download would still not pass web of
trust validation.


Cheers,
Thijs



More information about the Pkg-gnupg-maint mailing list