An interesting conversation on the GPG mailing list that’s been ongoing for months. This info should help us choose a good set of default keyservers for user protection from fake signatures and/or DoS against the WoT.
security-misc /etc/skel/.gnupg/gpg.conf doesn’t define any currently.
The keystore trilemma is not yet solved. You can have two out of three
of decentralisation, universality, and abuse-resistance. WKD is
decentralised and abuse-resistant but is not universal. keys.openpgp.org
is universal and abuse-resistant but highly centralised (and
functionally limited). Synchronising keyservers (SKS and Hockeypuck) are
decentralised and universal but abuse-prone.
Signature attestations will help tackle many of the abuse (and
functional limitation) issues, if we can get them standardised in a
future openpgp update (rfc4880tris?). But we will probably have to live
with more than one system for the foreseeable future, given the
different compromises required.
Hockeypuck is an alternative keyserver implementation written in Go. It’s being extended to verify sigs to stop key spam.
Here are the hockeypuck servers I could find, all synchronizing properly and apparently exchanging data (minus the unwanted packets) with the SKS servers that are synchronized:
I Tested the servers on this list and only 4 work and they don’t even have your key on there. Only three recognize the Debian key so I don’t think making them default makes sense. Best to let devs decide on how users should fetch and verify their repo signing keys.