Someone is squatting GnuPG names

Werner Koch wk at
Mon Apr 6 12:51:34 CEST 2020

On Sat,  4 Apr 2020 18:52, Uri Blumenthal said:

> It's good to know that this is the "official" GitHub mirror, because I

Given that Git is a decentralized VCS, it is not easy to say what is
official (i.e. from the usual upstream authors) and is non-official.
There is an easy solution however: Most of us sign our commits and all
release tags are also signed with the release key.  And well there are
official release tarballs; we consider everything take directly from a a
repo as a development version.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list