Someone is squatting GnuPG names
Jeffrey Walton
noloader at gmail.com
Thu Apr 2 10:26:12 CEST 2020
On Thu, Apr 2, 2020 at 3:42 AM Vincent Breitmoser <look at my.amazin.horse> wrote:
>
> > Unsuspecting users don't really have a way to determine the projects
> > are not authorized. They don't show as a fork (in the upper left hand
> > corner). Rather they appear to be an authorized source.
>
> It says "unofficial gnupg mirrors", right there in the title from your link?
> I agree it could be made more obvious (e.g. in repo descriptions), but it's not
> like he's hiding the fact.
Try this out: https://github.com/gpg/gnupg. There's no indication.
I made a pull request against it thinking the gnupg dev's would handle it.
It fooled me and about 280 others.
Why in the world would someone squat an organization's name?
If it was jerome/gnupg I would have moved on.
Why has GnuPG not taken action? What is the purpose of allowing people
to make the mistake?
Jeff
More information about the Gnupg-devel
mailing list