On Wed 2019-08-21 18:19:06 +0100, Adam D. Barratt wrote: >> * We adopt GnuPG's upstream approach of making keyserver access >> default to self-sigs-only. This means that the keyserver cannot >> flood the user's keyring by default. (we do *not* adopt upstream's >> choice of import-clean for keyserver default, see >> https://dev.gnupg.org/T4628 for more explanation) > > The introduction of this change in unstable (and since in testing) > apparently led to some confusion amongst, and queries from, members of > the project, so is likely to have a similar (but quite possibly larger) > effect on the wider stable user base. > > If we are to include it, I think it would therefore be wise to ensure > that it is accompanied by a NEWS entry which briefly explains the > change and its implications. (Relatedly, the further through the stable > cycle we get, the more awkward this would be to introduce.) Thanks, that's entirely reasonable. I've put this NEWS item into the debian/buster branch on salsa. Otherwise, the debdiff is the same. diff --git a/debian/NEWS b/debian/NEWS index 0a6a7440d..3005e935c 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,25 @@ +gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium + + In this version we adopt GnuPG's upstream approach of making keyserver + access default to self-sigs-only. This defends against receiving + flooded OpenPGP certificates. To revert to the previous behavior (not + recommended!), add the following directive to ~/.gnupg/gpg.conf: + + keyserver-options no-self-sigs-only + + We also adopt keys.openpgp.org as the default keyserver, since it avoids + the associated bandwidth waste of fetching third-party certifications + that will not be used. To revert to the older SKS keyserver network (not + recommended!), add the following directive to ~/.gnupg/dirmngr.conf: + + keyserver hkps://hkps.pool.sks-keyservers.net + + Note: we do *not* adopt upstream's choice of import-clean for the + keyserver default, since it can lead to data loss, see + https://dev.gnupg.org/T4628 for more details. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 21 Aug 2019 14:53:47 -0400 + Let me know if you want me to re-generate a full debdiff, or if you're ok with this plus the previous debdiff (with an updated date on debian/changelog to match debian/NEWS), let me know whether i should go ahead and upload. Thanks for your thoughtfulness and review. Regards, --dkg
Attachment:
signature.asc
Description: PGP signature