This. In fact, it creates an even more dangerous situation, as users could go to the site, see their keys, and say "I dunno. Looks fine?" and approve all of the keys, without actually confirming that the keys are legitimate.
Not giving instructions on the page on how to verify the info was weak. Github people, if you're reading this, please update that page.
I very much agree they should have added instructions to the page. However when I went through the process there was a prominent note saying that when in doubt, you should reject keys and upload new ones. So the "I dunno. Looks fine?" case seems like it would be a problem only for the careless.
Disagree for anyone with more than one key. The problem with verifying all your keys at once is that I'm not going to find all my devices (I don't practice falconry). It would have been better if you could delay answering for some keys. I'm not sure you could have, but I didn't feel that way when performing my audit so I accepted them all, they all had recognizable hostnames.
It looked like you could put off dealing with keys by just not doing anything to them. Anything you didn't approve or deny would stick around. However, I didn't actually test this, and I only had one key which is now approved so it's too late.
That is correct I did exactly that. I got the message at home, and I had a key for a work computer on there, so I confirmed the home keys and left the work key disabled.
Honestly, I did that. Just went right to the page and clicked "Approve" to all of them. I couldn't remember the command to get my fingerprint, I was lazy, and that was really stupid of me but it does go to show you should never trust a user. Even one who is a programmer and understands the risks.
Not giving instructions on the page on how to verify the info was weak. Github people, if you're reading this, please update that page.