On Wed 2019-08-21 18:19:06 +0100, Adam D. Barratt wrote:
* We adopt GnuPG's upstream approach of making keyserver access
default to self-sigs-only. This means that the keyserver cannot
flood the user's keyring by default. (we do *not* adopt upstream's
choice of import-clean for keyserver default, see
https://dev.gnupg.org/T4628 for more explanation)
The introduction of this change in unstable (and since in testing)
apparently led to some confusion amongst, and queries from, members of
the project, so is likely to have a similar (but quite possibly
larger)
effect on the wider stable user base.
If we are to include it, I think it would therefore be wise to ensure
that it is accompanied by a NEWS entry which briefly explains the
change and its implications. (Relatedly, the further through the
stable
cycle we get, the more awkward this would be to introduce.)
Thanks, that's entirely reasonable. I've put this NEWS item into the
debian/buster branch on salsa. Otherwise, the debdiff is the same.
diff --git a/debian/NEWS b/debian/NEWS
index 0a6a7440d..3005e935c 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,25 @@
+gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
+
+ In this version we adopt GnuPG's upstream approach of making
keyserver
+ access default to self-sigs-only. This defends against receiving
+ flooded OpenPGP certificates. To revert to the previous behavior
(not
+ recommended!), add the following directive to ~/.gnupg/gpg.conf:
+
+ keyserver-options no-self-sigs-only
+
+ We also adopt keys.openpgp.org as the default keyserver, since it
avoids
+ the associated bandwidth waste of fetching third-party
certifications
+ that will not be used. To revert to the older SKS keyserver network
(not
+ recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
+
+ keyserver hkps://hkps.pool.sks-keyservers.net
+
+ Note: we do *not* adopt upstream's choice of import-clean for the
+ keyserver default, since it can lead to data loss, see
+ https://dev.gnupg.org/T4628 for more details.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 21 Aug 2019
14:53:47 -0400
+
Let me know if you want me to re-generate a full debdiff, or if you're
ok with this plus the previous debdiff (with an updated date on
debian/changelog to match debian/NEWS),