Package: gnupg Version: 2.2.16-2 Control: clone -1 -2 Control: affects -1 monkeysphere enigmail sks Control: found -1 2.2.13-2 Control: found -1 2.2.12-1 Control: found -1 2.1.18-8~deb9u4 Control: forwarded -1 https://dev.gnupg.org/T4592 Control: reassign -2 monkeysphere 0.41-1 Control: retitle -2 monkeysphere-authentication chokes on flooded certificates
When an OpenPGP certificate is flooded with too many certifications, and a GnuPG installation imports it into `pubring.gpg`, performance of gpg is atrocious. I've documented that performance problem at https://dev.gnupg.org/T4592. This is apparently breaking people's enigmail installations (https://dev.gnupg.org/T3972#127338). This is also an issue for monkeysphere-authentication, because it pulls keys from the keyserver network and then tries to use them. Any system that has monkeysphere-authentication scheduled in a cronjob to pull from the SKS keyserver network, for example, can get automatic heavy CPU load, if one of the certificates they're pulling gets flooded like this. A handful of (complementary) workarounds present themselves as an option for the monkeysphere (and any other tools that are affected): * switch from the keyring format (pubring.gpg) to the keybox format (pubring.kbx), which has narrower limits about what it is willing to import. * do your fetches from the keyserver using "--import-options import-clean" -- while this won't fix everything, it'll still be useful. * fetch keys via other mechanisms, like WKD or DANE, instead of the SKS keyserver network. Unfortunately, this only works for retrieving certificates by e-mail address, and requires cooperation from the domain owner to set it up. It also doesn't provide revocation or subkey update necessarily, it could go stale. * use hkps://keys.openpgp.org instead of the SKS keyserver network -- this won't let you fetch third-party certifications, but it will let you fetch revocations and key material updates. Ultimately, we'll need a fix in GnuPG, though. (or for tools to move away from using GnuPG as their OpenPGP implementation) --dkg
signature.asc
Description: PGP signature
