Someone is squatting GnuPG names

Vincent Breitmoser look at
Thu Apr 2 09:42:48 CEST 2020

> Unsuspecting users don't really have a way to determine the projects
> are not authorized. They don't show as a fork (in the upper left hand
> corner). Rather they appear to be an authorized source.

It says "unofficial gnupg mirrors", right there in the title from your link?
I agree it could be made more obvious (e.g. in repo descriptions), but it's not
like he's hiding the fact.

The decentralized nature of git will always lead to mirrors on pages like
github, and if it wasn't this guy mirroring in a systematic manner you'd still
have people pushing the repository or derivatives all over as part of their
normal workflows. At least this way they stay up to date.

Perhaps a friendly note asking to make a better mention of the fact the repos
are mirrors and a more visible pointer to upstream would be a good idea.

 - V

More information about the Gnupg-devel mailing list