A few people have asked my why the svn is not on github or something similar. I usually answer with stories about trust, and what happened to codespaces. I mean, this is a SECURITY project, right? But today, I saw this...
Try it. If you are on github, you will be quite startled!
Not saying it is only a repository thing... It has me seriously considering how I use SSH keys now.
I am concerned by the privacy issue, but not the security issue.
I fail to see the big security problem in public keys being public, collected and be included in a directory service. In a sense, one could say that github here takes on the role of a trusted third party. They confirm that your private key belongs to you. All PKI systems need such a third party and since we in this context generate the key pair ourselves there are no CA. Surely, it is a good design choise that github gives us the possibility to verify source code as being signed by original author.
I do see a privacy issue with ssh here, I did not know that upon a anonymous connection to a server ssh would try to reveal my identity. However, it kind of makes sense, it normally is followed by an authentication that would reveal my identity. Now I do try to protect my identity, I do not see the need to present myself fully just because we have a causual interaction on the commuter train or discuss an interresting issue on a forum like this.