Someone is squatting GnuPG names

Jeffrey Walton noloader at gmail.com
Thu Apr 2 10:26:12 CEST 2020


On Thu, Apr 2, 2020 at 3:42 AM Vincent Breitmoser <look at my.amazin.horse> wrote:
>
> > Unsuspecting users don't really have a way to determine the projects
> > are not authorized. They don't show as a fork (in the upper left hand
> > corner). Rather they appear to be an authorized source.
>
> It says "unofficial gnupg mirrors", right there in the title from your link?
> I agree it could be made more obvious (e.g. in repo descriptions), but it's not
> like he's hiding the fact.

Try this out: https://github.com/gpg/gnupg. There's no indication.

I made a pull request against it thinking the gnupg dev's would handle it.

It fooled me and about 280 others.

Why in the world would someone squat an organization's name?

If it was jerome/gnupg I would have moved on.

Why has GnuPG not taken action? What is the purpose of allowing people
to make the mistake?

Jeff



More information about the Gnupg-devel mailing list