stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org
Quote (bold not added by me)
High-risk users should stop using the keyserver network immediately.
Originator of quote, again quoting directly:
Robert J. Hansen firstname.lastname@example.org. I maintain the GnuPG FAQ and unofficially hold the position of crisis communicator. This is not an official statement of the GnuPG project, but does come from someone with commit access to the GnuPG git repo.
- Apart from this, keyservers have been unreliable for a long time now. This alone is a reason for at least providing an optional download of public keys.
- While https://support.torproject.org/tbb/how-to-verify-signature/ can be viewed in Tor Browser, doing networking outside of Tor Browser (gpg --recv-keys) is non-trivial to do torified. Also for that reason it would be better if users could get both, the information how to verify and the gpg public key from the same source.