[Pkg-gnupg-commit] [gnupg2] 05/30: gpg: default to --no-auto-key-retrieve.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Sep 6 21:57:30 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit e6f84116abca2ed49bf14b2e28c3c811a3717227
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Aug 11 02:26:52 2017 -0400
gpg: default to --no-auto-key-retrieve.
* g10/gpg.c (main): remove KEYSERVER_AUTO_KEY_RETRIEVE from the
default keyserver options.
* doc/gpg.texi: document this change.
--
This is a partial reversion of
7e1fe791d188b078398bf83c9af992cb1bd2a4b3. Werner and i discussed it
earlier today, and came to the conclusion that:
* the risk of metadata leakage represented by a default
--auto-key-retrieve, both in e-mail (as a "web bug") and in other
contexts where GnuPG is used to verified signatures, is quite high.
* the advantages of --auto-key-retrieve (in terms of signature
verification) can sometimes be achieved in other ways, such as when
a signed message includes a copy of its own key.
* when those other ways are not useful, a graphical, user-facing
application can still offer the user the opportunity to choose to
fetch the key; or it can apply its own policy about when to set
--auto-key-retrieve, without needing to affect the defaults.
Note that --auto-key-retrieve is specifically about signature
verification. Decisions about how and whether to look up a key during
message encryption are governed by --auto-key-locate. This change
does not touch the --auto-key-locate default of "local,wkd". The user
deliberately asking gpg to encrypt to an e-mail address is a different
scenario than having an incoming e-mail trigger a potentially unique
network request.
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
doc/gpg.texi | 2 +-
g10/gpg.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index c71126a..b6a9b2d 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1792,7 +1792,7 @@ list. The default is "local,wkd".
@opindex no-auto-key-retrieve
These options enable or disable the automatic retrieving of keys from
a keyserver when verifying signatures made by keys that are not on the
-local keyring. The default is @option{--auto-key-retrieve}.
+local keyring. The default is @option{--no-auto-key-retrieve}.
If the method "wkd" is included in the list of methods given to
@option{auto-key-locate}, the signer's user ID is part of the
diff --git a/g10/gpg.c b/g10/gpg.c
index c721cdc..c9fa7ae 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2366,8 +2366,7 @@ main (int argc, char **argv)
opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
| IMPORT_REPAIR_PKS_SUBKEY_BUG);
opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
- opt.keyserver_options.options = (KEYSERVER_HONOR_PKA_RECORD
- | KEYSERVER_AUTO_KEY_RETRIEVE);
+ opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
opt.verify_options = (LIST_SHOW_UID_VALIDITY
| VERIFY_SHOW_POLICY_URLS
| VERIFY_SHOW_STD_NOTATIONS
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list