On 2020-10-14 at 21:05 -0700, Todd Fleisher wrote: > I personally recommend an Ubuntu 18.04LTS system, using the somewhat > patched package found @ > https://launchpad.net/~canonical-sysadmins/+archive/ubuntu/sks-public/+packages > to protect against the so-called “poison keys” that will almost > certainly cause your system to be unstable & use much more bandwidth > & IO than is necessary. This path will render compilation > unnecessary. > > -T
First of all, those patches protect against a single poison key, 0xE41ED3A107A7DBC7. By skipping the merge of changes to it, I think. Second, this may actually not be a good idea at all. sks key reconciliation works by having two servers with different contents for a "file" end up with the same one. If one of the parties is picky and reject some keys the other has, the system might fall apart. Ideally, a rejection of certain keys would have to be network-wide. Otherwise, the reconciliation could fail, or the servers might be continuously retrying that key which is actually rejected by the other party. I'm not sure if this is actually a problem with this patch (I hope someone better understanding the protocol can chime in and explain), but seems a reason for concern. Also, I expect that if you started from a dump which already has the forbidden key, this patch was probably a no-op and that reconciliation issue would go unnoticed. Best regards
