Hi Mattia,
> I'm CCing with this email also lamby and guillem (whom I invite to read
> the original bug report) as they may have further insight, having had
> some stake in introducing the now disputed change.
I believe my thoughts on this issue are already somewhat recorded on the
original merge request:
Whilst I agree that there is not convincing attack vector here, we
should definitely be part of the effort of discontinuing the
continued community-wide usage of short key IDs in any context. We
should rid ourselves of the burden of having to think about whether —
in a given context, which can always change — whether short IDs are
safe or not.
[..]
Folks revert to using short key IDs in places they shouldn't because
they are pretty safe in some places and positively dangerous in
others — it's the context-sensitive nature of this that makes it
problematic.
> > devscripts should not second-guess gpg itself for what should be
> > considered a valid key identifier.
>
> Just mentioning, also dpkg-buildpackage itself followed this route with
> the latest 1.19.1.
A quick glance at the (huge!) changelog for this upload is not finding
the relevant portion. Can you help?
(I also somewhat agree on the "second-guessing" point although I
consider that to be an orthogonal philosophical concern. However, just
to confuse matters, I have got some WIP patches locally for gpg /itself/
to reject such identifiers, or at least warn on them...)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
