PGP Key Poisoner

Stefan Claas sac at
Mon Aug 12 18:39:38 CEST 2019

Ryan McGinnis via Gnupg-users wrote:

> Yes, ironically, this proof of concept is the responsible way to demonstrate
> the issue (after a sufficient waiting period following a private disclosure
> to the developers), rather than, say, demonstrating the issue by spitefully
> poisoning the keys of a few prominent people in the GPG community.   The “if
> nobody talks about it and it remains obscure then it is not an issue” is
> something you would expect from a Mickey Mouse outfit that has no real
> understanding of security, not from a software development community that is
> essentially creating platforms focused on gold-standard security applications
> that underpin a lot of development infrastructure.  
> Just my two cents *ploink ploink*

I don't want to warm-up this topic again, but... didn't Robert said in his
github gist that the issue was known for more than a decade?

Why was is then not fixed a decade ago, like it was done with 2.2.17?

box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

More information about the Gnupg-users mailing list