Collin Funk wrote: > > * Even with a configured keyserver that is still operating, such as > > hkps://keys.openpgp.org, the problem with keyservers is that > > anyone can upload a fake GPG key for a given package maintainer.[1] > > That is the case for typical keyservers. But uploading a key on > keys.openpgp.org requires you to accept a verification email. Without > doing that they key will not be added. So unless a person has access to > your email, they cannot upload a fake key. At least that is what I > remember from uploading my key over a year ago [1]
I confirm. I even got two verification emails, one with a link of the form https://keys.openpgp.org/upload/... and one with a link of the form https://keys.openpgp.org/verify/... . This changes the situation. If at least keys.openpgp.org is a trustworthy key server: * The release announcement template (maintained in gnulib) should mention gpg --keyserver hkps://keys.openpgp.org --recv-keys ID instead of gpg --recv-keys ID * In maintain.texi we should keep the cited paragraph, replacing only 'keys.gnupg.net' with 'hkps://keys.openpgp.org'. Bruno
