On Du, 07 iul 19, 21:11:06, Teemu Likonen wrote: > Andrei POPESCU [2019-07-07T20:31:23+03] wrote: > > > My gpg.conf has: > > > > keyserver hkps://hkps.pool.sks-keyservers.net > > SKS keyservers can be risky because they allow anybody to submit any > number of key signatures to other people's keys. Recently some keys have > been poisoned with a great number key signatures so that GnuPG chokes. > Here's a link to message in gnupg-user mailing list. > > "SKS Keyserver Network Under Attack" > https://lists.gnupg.org/pipermail/gnupg-users/2019-June/062098.html Yeah, I read about that. Nasty! > If you use SKS keyservers I really recommend using either of the > following two options: > > keyserver-options import-clean > keyserver-options import-minimal What would be the alternative to SKS keyservers? > If you happen to download a huge poisoned key from an SKS keyserver the > above mentioned options protect your local keyring from getting unknown > key signatures. The checking can take some time, though. As in processing or downloading time? My systems are quite low powered (fanless). > Future releases of GnuPG will include more protective features and > default settings. > > "Release candidate for 2.2.17" > https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062297.html Planning to stick with buster for a while. Running sid is fun, if one has the time for it ;) > There is also <https://keys.openpgp.org>, a keyserver which doesn't > distribute third-party signatures at all. If my understanding is correct it enables only a very limited use-case (download keys to be able to check signatures). One still has to publish keys with signatures somehow... Thanks a lot, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
Attachment:
signature.asc
Description: PGP signature