[pkg-gnupg-maint] diverging from upstream defaults

[Daniel Kahn Gillmor]

On Wed 2016-06-29 18:45:50 -0400, Daniel Kahn Gillmor wrote:
> We currently don't diverge much from upstream.  That said, there are
> some ways that we've discussed using debian (at least debian
> experimental and unstable) as a laboratory for changes in defaults to
> help harden the OpenPGP ecosystem, and to make it easier for people to
> just use the tool without fiddling with it to make it use stronger
> crypto.

I'm in the process of making these changes for debian unstable right
now.  In particular, i'm planning on making the following changes in
debian/patches/update-defaults/*.patch:

>  * default RSA key size: 2048 → 3072
>  
>  * default cipher algorithm: AES128 → AES256
>
>  * default signature digest: SHA256 → SHA512
>  
>  * digests in default personal-digest-preferences  : SHA-256,SHA-384,SHA-512,SHA-224,SHA-1 → SHA-512,SHA-384,SHA-256,SHA-224,SHA-1
>
>  * default s2k duration (calibrated by agent): 100ms → 300ms


I didn't need to do this one, because upstream has already done it, yay!:

>  * default keyserver: nothing → hkps://hkps.pool.sks-keyservers.net

The nice thing about having made these changes in debian is that when a
potential new debian contributor says "how should i make my OpenPGP key"
we should soon be able to say something like:

---------------

Make sure you're using debian testing or unstable, and do:

    gpg --quick-gen-key "Your Name <you at example.net>"

This will give you a reasonable OpenPGP key for your regular use.

--------------

Anyone have any other concerns or suggestions about this?  It's been
over a year since my initial question, so it doesn't look to me like
there have been any particularly strong preferences :)

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170907/61f00974/attachment.sig>