Your message dated Thu, 28 Nov 2024 18:21:16 +0000
with message-id <[email protected]>
and subject line Bug#1085868: Removed package(s) from unstable
has caused the Debian Bug report #931204,
regarding monkeysphere-authentication chokes on flooded certificates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931204: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931204
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnupg
Version: 2.2.16-2
Control: clone -1 -2
Control: affects -1 monkeysphere enigmail sks
Control: found -1 2.2.13-2
Control: found -1 2.2.12-1
Control: found -1 2.1.18-8~deb9u4
Control: forwarded -1 https://dev.gnupg.org/T4592
Control: reassign -2 monkeysphere 0.41-1
Control: retitle -2 monkeysphere-authentication chokes on flooded certificates
When an OpenPGP certificate is flooded with too many certifications, and
a GnuPG installation imports it into `pubring.gpg`, performance of gpg
is atrocious. I've documented that performance problem at
https://dev.gnupg.org/T4592.
This is apparently breaking people's enigmail installations
(https://dev.gnupg.org/T3972#127338).
This is also an issue for monkeysphere-authentication, because it pulls
keys from the keyserver network and then tries to use them. Any system
that has monkeysphere-authentication scheduled in a cronjob to pull from
the SKS keyserver network, for example, can get automatic heavy CPU
load, if one of the certificates they're pulling gets flooded like this.
A handful of (complementary) workarounds present themselves as an option
for the monkeysphere (and any other tools that are affected):
* switch from the keyring format (pubring.gpg) to the keybox format
(pubring.kbx), which has narrower limits about what it is willing to
import.
* do your fetches from the keyserver using "--import-options
import-clean" -- while this won't fix everything, it'll still be
useful.
* fetch keys via other mechanisms, like WKD or DANE, instead of the SKS
keyserver network. Unfortunately, this only works for retrieving
certificates by e-mail address, and requires cooperation from the
domain owner to set it up. It also doesn't provide revocation or
subkey update necessarily, it could go stale.
* use hkps://keys.openpgp.org instead of the SKS keyserver network --
this won't let you fetch third-party certifications, but it will let
you fetch revocations and key material updates.
Ultimately, we'll need a fix in GnuPG, though. (or for tools to move
away from using GnuPG as their OpenPGP implementation)
--dkg
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 0.43-3.1+rm
Dear submitter,
as the package monkeysphere has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1085868
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---
