[Pkg-gnupg-commit] [gnupg2] 03/07: default to --no-auto-key-retrieve

Fri Aug 11 16:51:31 UTC 2017

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to annotated tag debian/2.1.23-1
in repository gnupg2.

commit e3e2d5d5c6a09acc525e7bfbb281d0450ca2b3e5
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Fri Aug 11 09:44:03 2017 -0400

    default to --no-auto-key-retrieve
---
 .../0013-gpg-default-to-no-auto-key-retrieve.patch | 68 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 69 insertions(+)

diff --git a/debian/patches/0013-gpg-default-to-no-auto-key-retrieve.patch b/debian/patches/0013-gpg-default-to-no-auto-key-retrieve.patch
new file mode 100644
index 0000000..df977fd
--- /dev/null
+++ b/debian/patches/0013-gpg-default-to-no-auto-key-retrieve.patch
@@ -0,0 +1,68 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Fri, 11 Aug 2017 02:26:52 -0400
+Subject: gpg: default to --no-auto-key-retrieve.
+
+* g10/gpg.c (main): remove KEYSERVER_AUTO_KEY_RETRIEVE from the
+default keyserver options.
+* doc/gpg.texi: document this change.
+--
+
+This is a partial reversion of
+7e1fe791d188b078398bf83c9af992cb1bd2a4b3.  Werner and i discussed it
+earlier today, and came to the conclusion that:
+
+ * the risk of metadata leakage represented by a default
+   --auto-key-retrieve, both in e-mail (as a "web bug") and in other
+   contexts where GnuPG is used to verified signatures, is quite high.
+
+ * the advantages of --auto-key-retrieve (in terms of signature
+   verification) can sometimes be achieved in other ways, such as when
+   a signed message includes a copy of its own key.
+
+ * when those other ways are not useful, a graphical, user-facing
+   application can still offer the user the opportunity to choose to
+   fetch the key; or it can apply its own policy about when to set
+   --auto-key-retrieve, without needing to affect the defaults.
+
+Note that --auto-key-retrieve is specifically about signature
+verification.  Decisions about how and whether to look up a key during
+message encryption are governed by --auto-key-locate.  This change
+does not touch the --auto-key-locate default of "local,wkd".  The user
+deliberately asking gpg to encrypt to an e-mail address is a different
+scenario than having an incoming e-mail trigger a potentially unique
+network request.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+(cherry picked from commit e6f84116abca2ed49bf14b2e28c3c811a3717227)
+---
+ doc/gpg.texi | 2 +-
+ g10/gpg.c    | 3 +--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index c71126a..b6a9b2d 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -1792,7 +1792,7 @@ list.  The default is "local,wkd".
+ @opindex no-auto-key-retrieve
+ These options enable or disable the automatic retrieving of keys from
+ a keyserver when verifying signatures made by keys that are not on the
+-local keyring.  The default is @option{--auto-key-retrieve}.
++local keyring.  The default is @option{--no-auto-key-retrieve}.
+ 
+ If the method "wkd" is included in the list of methods given to
+ @option{auto-key-locate}, the signer's user ID is part of the
+diff --git a/g10/gpg.c b/g10/gpg.c
+index c721cdc..c9fa7ae 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -2366,8 +2366,7 @@ main (int argc, char **argv)
+     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
+ 					    | IMPORT_REPAIR_PKS_SUBKEY_BUG);
+     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
+-    opt.keyserver_options.options = (KEYSERVER_HONOR_PKA_RECORD
+-                                     | KEYSERVER_AUTO_KEY_RETRIEVE);
++    opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
+     opt.verify_options = (LIST_SHOW_UID_VALIDITY
+                           | VERIFY_SHOW_POLICY_URLS
+                           | VERIFY_SHOW_STD_NOTATIONS
diff --git a/debian/patches/series b/debian/patches/series
index ea6811b..cfb3e0d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ gpg-agent-idling/0009-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
 gpg-agent-idling/0010-agent-Avoid-tight-timer-tick-when-possible.patch
 gpg-agent-idling/0011-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
 skip-missing-signing-keys/0013-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch
+0013-gpg-default-to-no-auto-key-retrieve.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git

