Holger Levsen writes ("use long keyid-format in gpg.conf (Re: Key collisions in
the wild"):
> I'm somewhat surprised by this mail… or rather by you appearantly
> knowing about the issue but still you seem to not have acted as advised,
> so let me repeat: everybody, please put "keyid-format long" into your
> ~/.gnupg/gpg.conf!
I am dismayed to once again see advice which suggests that systematic
security bugs in the default behaviour of gnupg should be addressed on
an ad-hoc basis by individual users editing their personal
configuration.
It would be much better to put out a stable release update to change
the default. (Probably not a security update because of the risk of
causing currently-vulnerable scripts to become nonfunctional, which is
not something we normally do in security updates.)
Even if long keyids are not sufficient, they are a big improvement and
we should not let fixing this problem properly stand in the way of
doing what we can, now.
Ian.
