|
From: | dftxbs3e |
Subject: | Suggest another way of importing GNU Guix GPG key |
Date: | Sat, 29 Jun 2019 23:11:19 +0200 |
User-agent: | Webmail Free/1.3.3 |
Hello,SKS keyservers are currently under attack (https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f) - the attack can cause a GPG client to freeze completely and mess the GPG installation completely.
I suggest GNU Guix proposes another way of importing the GPG keys so that users will not suffer from this problem.
There's another, newer, keyserver, proposed in this gist, that is run by new software that doesnt suffer from this attack. See: https://keys.openpgp.org/about/news#2019-06-12-launch
However, that keyserver is not replicated. You could either use that one or simply offer a download of the key over TLS with verification against installed CAs, as secure as this can get.
Regards
[Prev in Thread] | Current Thread | [Next in Thread] |