Someone is squatting GnuPG names

Jeffrey Walton noloader at
Thu Apr 2 10:26:12 CEST 2020

On Thu, Apr 2, 2020 at 3:42 AM Vincent Breitmoser <look at> wrote:
> > Unsuspecting users don't really have a way to determine the projects
> > are not authorized. They don't show as a fork (in the upper left hand
> > corner). Rather they appear to be an authorized source.
> It says "unofficial gnupg mirrors", right there in the title from your link?
> I agree it could be made more obvious (e.g. in repo descriptions), but it's not
> like he's hiding the fact.

Try this out: There's no indication.

I made a pull request against it thinking the gnupg dev's would handle it.

It fooled me and about 280 others.

Why in the world would someone squat an organization's name?

If it was jerome/gnupg I would have moved on.

Why has GnuPG not taken action? What is the purpose of allowing people
to make the mistake?


More information about the Gnupg-devel mailing list