Version v2016-08-15-01
Update pgp verification instructions
There appears to be a concerted ongoing campaign to poison the PGP
keyservers with short-ID keygrip collisions (e.g. see
http://pgp.gwolf.org/pks/lookup?op=vindex&search=0x00411886 -- the key
from 2014 is NOT Linus's key, but you wouldn't be able to tell the
difference if you were only looking at the output of that page).
This is only dangerous if people don't actually rely on the web of
trust, but use visual confirmation of keygrips as an indication of key
validity. Unfortunately, the PGP web of trust is probably the most
poorly understood concept among developers and packagers, and so in this
commit I added the following information to the document:
1. Use command outputs from more recent versions of gnupg that list
16-character keygrips -- in case people actually rely on them for
verification purposes (you shouldn't!).
2. Mention pgp.cs.uu.nl and their excellent trust paths tool. Pre-seed
the link with Linus's actual full-fingerprint keyid.
3. List Linus's and Greg's fingerprints on the page, even if this
defeats the purpose of the web of trust. It's better if people use a
TLS-verified site to "seed" their pgp keyring, than if they use
nothing at all and rely on the output of gpg --search.
Obligatory XKCD link: https://xkcd.com/1181/
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
1 file changed
