Hi Bruno and Simon,
Reviving this very old thread because looking at maintain.texi reminded
me of it. It says:
Optional but recommended: Send your keys to a GPG public key server:
@code{gpg --keyserver keys.gnupg.net --send-keys @var{keyid}...}, where
@var{keyid} is the eight hex digits reported by @code{gpg
--list-public-keys} on the @code{pub} line before the date. For full
information about GPG, see @url{https://www.gnu.org/software/gpg}.
But as you mention Simon:
> We used to have a working PGP keyserver network, but they were attacked
> and most shut down. It seems that if some mechanism to distribute keys
> in a strong way establishes itself, it attracts abuse. Designing a
> proper mechanism is apparently not a simple problem, or it would have
> existed.
I think you are referring to the SKS keyserver which I think
keys.gnupg.net resolved to until both were killed. Someone gave a talk
showing you could spam signatures on keys and then released the script
they used. Who would have guessed others would use it maliciously... I
can send you the link in private, not that it is very hard to find, but
because I do not want to encourage its use.
The real point of this email, though, is that I feel it is a bit silly
to recommend uploading a key to a keyserver that does not exist
anymore. Should that section just be removed from the manual?
GPG does not even have a default keyserver anymore. I think most
distributions have a patch to use https://keys.openpgp.org/ or
https://keyserver.ubuntu.com/. IIRC, Werner Koch has given up on key
servers and prefers WKD as he uses for his key [1]. But that is not even
possible for someone with a lowly gmail address like me. :)
That is why I rather just remove it instead of recommending a different
keyserver at least. But maybe I am wrong.
Collin
[1] https://werner.eifzilla.de/key.html
