? Comments re key servers? re gpg-encrypted mail? re key servers carry many phony keys?

Alexandre Oliveira xinayder at airmail.cc
Wed Dec 28 17:04:23 CET 2016


On 28/12/2016 08:43, Miroslav Rovis wrote:
> 
> It's a different topic, but it might have the unreliability of
> keyservers for its justification:
> 
> The fact that Github, since this outgoing year, accept gpg signing only
> if you post your public key to their servers.
> 
> Or does it? Is it more like Github wants to collect and control?
> 
> I know it was possible to:
> 
> $ cd <your git project>
> $ git tag <version> -s
> $ git push --tags
> 
> and all was there, signed and verifiable for everbody, without the need
> to have previously posted your own public key to github.com. Up until
> just last year, IIRC.
> 
> Any ideas for true reasons behind that move? And is it an improvement,
> or quite the contrary?
> 

Until this year there was no way to verify the signature of commits and
releases through the GitHub website, so they created a "kind of"
keyserver in their own server to manage users public keys.


-- 
Alexandre Oliveira
  167F D82F 514A E8D1 2E9E
  C62D 1B63 9D4A 7E9D DA9D



More information about the Gnupg-users mailing list