= bug description =

https://fedoraproject.org/en/keys says that the current GPG keys for Fedora 18 are:

{{{
pub 4096R/DE7F38BD 2012-08-06
Key fingerprint = 7EFB 8811 DD11 E380 B679 FCED FF01 125C DE7F 38BD
uid Fedora (18) fedora@fedoraproject.org
}}}

and

{{{
pub 4096R/A4D647E9 2012-08-06
Key fingerprint = 62D6 986A 2639 CF2E 3790 EE45 68DC D160 A4D6 47E9
uid Fedora Secondary Arch (18) fedora@fedoraproject.org

}}}

However, links to a keyserver are as follows:
{{{
http://keys.gnupg.net:11371/pks/lookup?search=0x22B3B81A&op=get
http://keys.gnupg.net:11371/pks/lookup?search=0x34E166FA&op=get
}}}

The keys available at these location do not match the described keys.

= bug analysis =
Looking at their creation date, it looks like they have been created for F17 by accident. Someone maintaining the keys web page does not seem to verify which keys need to be linked there and used wrong key IDs.

= fix recommendation =

1. Remove the links to key servers from the web page, as they do not provide any benefit. They even lessen security, as the download from there is not as good verfied as from the provided HTTPS link to the same server as the keys web page.
2. Revoke the wrong keys, given they are created by Fedora
3. Update the keys web page in a way that contradictions are less likely to occur, e.g. create them automatically by a script that only takes valid key fingerprints as input.
4. Sign new keys with old keys to establish a trust relationship between different keys to make it more obvious if wrong keys are found