[R-sig-Debian] Please update GPG signature to long format.

Charles Plessy charles-r-nospam at plessy.org
Sun Sep 4 03:03:16 CEST 2016

Hi Michael and Dirk,

there are raising concerns that, as of today's computing power, an attacker can
generate a GPG key that has the same short ID as a target key.  In this
situation, it may be possible that a user downloads and trusts the attacker's
GPG key, and as a consequence installs malware.

For that reason (better explained in http://lwn.net/Articles/697417/), it is recommended to use long IDs or
even full fingerprints.  I am therefore suggesting to update the instructions
at <https://cran.rstudio.com/bin/linux/ubuntu/>.


(Note that I tested only in Debian Stable, which is one year older as Trusty,
so it might be good to doublecheck on a Trusty system that it works as

Have a nice day,


Charles Plessy
Tsurumi, Kanagawa, Japan

More information about the R-SIG-Debian mailing list