Unecrypted download of public keys

[sivmu]

Am 04.02.2017 um 23:27 schrieb Daniel Kahn Gillmor:
> On Sat 2017-02-04 15:14:50 -0500, sivmu wrote:
>> I suppose this config did not change after upgrading from 2.1.17.
>> Just tested it on 2.1.18 using arch and it still uses http on my setup.
> 
> it's not a config change -- it's a defaults change.
> 
> in the old arrangement, if you didn't specify a keyserver, you couldn't
> get anything at all, so many people put some keyserver in their
> configuration manually.
> 
> if you have a "keyserver" listed in your config manually, then you are
> *overriding* the default.  And yes, if you list foo.example.com, it will
> connect to that server in the clear (just as if you put
> hkps://foo.example.com then it would connect using TLS).
> 
> Did you try this with no explicit "keyserver" directive?
> 
>> But this would be rather an issue with the distro, correct?
> 
> It may be an issue with your distro, i don't know how arch has packaged
> 2.1.18.
> 
> all the best,
> 
>         --dkg
> 

This is the script for the arch gnupg package:
https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gnupg

But I do not see any sign of overriding the defaults and I never changed
the settings either.

I might just setup a new arch system in a VM and test this on a clean
installation to make sure I did not mess something up.


Could it be that installing gpa changed the defaults?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170205/8acb5c71/attachment.sig>