Bill Allombert <ballo...@debian.org> writes: > Dear Debian developpers, > > popularity-contest relies on /usr/bin/gpg for encrypting files. > (it cannot use gpgv which does not provide encryption).
Why does it need to encrypt data? Can't we just send telemetry over https like everyone else? For people who are uncomfortable with that, they can disable the package. I don't think the security properties of a popcon recipient PGP key and the WebPKI keys is all that different. Both are keys held by others who users have little information about. At least for WebPKI there are policies and transparency mechanisms in place, but the Debian PGP keys we have none of that. Which approach results in better outcome is probably a subjective opinion. /Simon
signature.asc
Description: PGP signature
