gpg: Do not use honor-keyserver-url sub-option by default.

2 files changed, 5 insertions, 4 deletions

diff --git a/doc/gpg.texi b/doc/gpg.texi
index 899c6b8d2..2e7230982 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1586,12 +1586,14 @@ are available for all keyserver types, some common options are:
   keyserver URL, then use that preferred keyserver to refresh the key
   from. In addition, if auto-key-retrieve is set, and the signature
   being verified has a preferred keyserver URL, then use that preferred
-  keyserver to fetch the key from. Defaults to yes.
+  keyserver to fetch the key from. Note that this option introduces a
+  "web bug": The creator of the key can see when the keys is
+  refreshed.  Thus this option is not enabled by default.
 
   @item honor-pka-record
   If auto-key-retrieve is set, and the signature being verified has a
   PKA record, then use the PKA information to fetch the key. Defaults
-  to yes.
+  to "yes".
 
   @item include-subkeys
   When receiving a key, include subkeys as potential targets. Note that
diff --git a/g10/gpg.c b/g10/gpg.c
index aec6e808e..13d688483 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2128,8 +2128,7 @@ main (int argc, char **argv)
     opt.export_options = EXPORT_ATTRIBUTES;
     opt.keyserver_options.import_options = IMPORT_REPAIR_PKS_SUBKEY_BUG;
     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
-    opt.keyserver_options.options = (KEYSERVER_HONOR_KEYSERVER_URL
-                                     | KEYSERVER_HONOR_PKA_RECORD );
+    opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
     opt.verify_options = (LIST_SHOW_UID_VALIDITY
                           | VERIFY_SHOW_POLICY_URLS
                           | VERIFY_SHOW_STD_NOTATIONS