The current file structure of a single AUTHORS uses the short key IDs, which is a known weakness.
It takes 4 seconds to generate a colliding 32bit key id on a GPU (using scallion). Key servers do little
verification of uploaded keys and allow keys with colliding 32bit ids. Further, GPG uses 32bit key ids throughout its interface and does not warn you when an operation might apply to multiple keys.
Instead of a single AUTHORS file, an AUTHORS directory with individual files for each AUTHOR should be used, as the previous iteration of gitguild was structured.
/gitguild/AUTHORS/<author.md>
The author.md file should contain the full public key block of the AUTHOR. This removes keyservers as a dependency in the protocol.
The current file structure of a single AUTHORS uses the short key IDs, which is a known weakness.
Instead of a single AUTHORS file, an AUTHORS directory with individual files for each AUTHOR should be used, as the previous iteration of gitguild was structured.
/gitguild/AUTHORS/<author.md>The
author.mdfile should contain the full public key block of the AUTHOR. This removes keyservers as a dependency in the protocol.