[pkg-gnupg-maint] Upstream request: Please use the default keyservers

Andre Heinecke aheinecke at gnupg.org
Wed Feb 26 12:22:28 GMT 2020 

Hi,

yesterday I installed debian buster and was unable to find my own key.

Turns out that debian is patching in a centralized keyserver instead of using 
the decentralized standard sks keyserver network.

https://salsa.debian.org/debian/gnupg2/-/blob/debian/buster/debian/patches/
keyserver-cleanup/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch

Please remove that patch.

This is an opinion based topic. Debian should not patch software because it 
has a different opinion then upstream.

There is a lot of rationale against the SKS Network, but there is also a lot 
of rationale against a centralized keyserver, which introduces a single point 
of attack, leaks information about key queries to a single instance etc. etc. 
Esp. since debian is sensitive about privacy and we have for example disabled 
auto-key-retrieve by default on your request (where we also agreed). This 
patch is completely the opposite of that.

There is not even an instiution like the GnuPG e.V. behind this service, it 
might change at a whim.

As distributor of Gpg4win I am also facing keyserver issues, but for now we 
don't have better alternatives. That is why GnuPG still has it as default. We 
want a decentralized hokeypuck network but keys.openpgp.org is definetly a step 
in the wrong direction. Please trust the GnuPG project on that, even though 
your personal opinion might differ.

Patching the man page makes it appear for debian users that the GnuPG Project 
is supporting keys.openpgp.org or thinking that using a central server is a 
good idea. We do not.


Best Regards,
Andre

-- 
GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf.  VR 11482 Düsseldorf
Vorstand: W.Koch, B.Reiter, A.Heinecke        Mail: board at gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779.   Tel: +49-211-28010702
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20200226/a6587b40/attachment.sig>

More information about the pkg-gnupg-maint mailing list