Package: gnupg Version: 1.4.19-5 Severity: wishlist Dear Maintainer,
By default, gpg requests keys using HKP server <keys.gnupg.net>. This allows a passive attacker to obtain information about the keys requested by the user, which may be harmful in terms of privacy. I think that gpg should be using an HKPS server by default. See e.g., <https://help.riseup.net/en/security/message-security/openpgp/best-practices#use-the-sks-keyserver-pool-instead-of-one-specific-server-with-secure-connections> See also a similar bug for dirmngr: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784286>. Best regards, -- Antoine Amarilli -- System Information: Debian Release: stretch/sid Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gnupg depends on: ii gpgv 1.4.19-5 ii libbz2-1.0 1.0.6-8 ii libc6 2.19-22 ii libreadline6 6.3-8+b3 ii libusb-0.1-4 2:0.1.12-27 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages gnupg recommends: ii gnupg-curl 1.4.19-5 ii libldap-2.4-2 2.4.42+dfsg-2 Versions of packages gnupg suggests: ii eog 3.18.0-1 pn gnupg-doc <none> ii imagemagick 8:6.8.9.9-6 ii libpcsclite1 1.8.14-1 ii parcimonie 0.9-3 -- debconf-show failed
