gpg: default to --no-auto-key-retrieve.

* g10/gpg.c (main): remove KEYSERVER_AUTO_KEY_RETRIEVE from the
default keyserver options.
* doc/gpg.texi: document this change.
--

This is a partial reversion of
7e1fe791d1.  Werner and i discussed it
earlier today, and came to the conclusion that:

 * the risk of metadata leakage represented by a default
   --auto-key-retrieve, both in e-mail (as a "web bug") and in other
   contexts where GnuPG is used to verified signatures, is quite high.

 * the advantages of --auto-key-retrieve (in terms of signature
   verification) can sometimes be achieved in other ways, such as when
   a signed message includes a copy of its own key.

 * when those other ways are not useful, a graphical, user-facing
   application can still offer the user the opportunity to choose to
   fetch the key; or it can apply its own policy about when to set
   --auto-key-retrieve, without needing to affect the defaults.

Note that --auto-key-retrieve is specifically about signature
verification.  Decisions about how and whether to look up a key during
message encryption are governed by --auto-key-locate.  This change
does not touch the --auto-key-locate default of "local,wkd".  The user
deliberately asking gpg to encrypt to an e-mail address is a different
scenario than having an incoming e-mail trigger a potentially unique
network request.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

doc/gpg.texi

@@ -1792,7 +1792,7 @@ list.  The default is "local,wkd".
 @opindex no-auto-key-retrieve
 These options enable or disable the automatic retrieving of keys from
 a keyserver when verifying signatures made by keys that are not on the
-local keyring.  The default is @option{--auto-key-retrieve}.
+local keyring.  The default is @option{--no-auto-key-retrieve}.
 
 If the method "wkd" is included in the list of methods given to
 @option{auto-key-locate}, the signer's user ID is part of the