Package: schleuder Version: 3.4.0-1 Forwarded: https://0xacab.org/schleuder/schleuder/merge_requests/291 Tags: fixed-upstream buster
Schleuder is vulnerable to signature-flooded keys. GPG does not cope well with these keys. It will either refuse to import them, or during and after the import become so slow to be effectively unusable (while hogging CPUs). This is a potential problem for Schleuder lists, because Schleuder by default regularly updates keys from the keyservers (in order to receive extended expiry dates, or key revocations). Any list with an attacked key in its keyring will become practically unusable and strain the server. It was decided upstream to drop third-party signatures on keys, before importing the key into the keyring of the list. These signatures are not really important, interesting or relevant in the context of Schleuder.
