gabriel rosenkoetter on Fri, 28 Feb 2003 00:01:07 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] GnuPG 1.2.1 trustdb checks for every pubkey import?


On Thu, Feb 27, 2003 at 10:52:58PM -0500, David Shaw wrote:
> is "if I didn't sign it myself, it's not valid".  Depending on how big
> your web of trust is, a smaller max-cert-depth can be somewhat faster
> when checking the trustdb (less work to do).

Hrm. Well, I'm not making it to five, but I'm almost there, and it
sure feels like stopping around half of what I'm doing now would get
back to being a viable processing time.

At the same time, a reasonable (and 5 seems mostly reasonble to me)
web of trust is kind of the point. And it gets me most of Debian, 
most of NetBSD (who bother to have and use OpenPGP keys), and most
of Perry Metzger's crypto list/the respectable portion of
cypherpunks, which is kind of nice.

> I think I need to go for the large hammer next.  The light bulb isn't
> working. :)

Heh. I'm pretty sure that only Microsoft is in a position to mandate
peripherals at this point. Although some videogame manufacturers
seem to want into the market[1]:

  http://www.penny-arcade.com/view.php3?date=2001-06-18&res=l

> Note that you don't need to rebuild the cache nearly that often.  In
> fact, now that you've done it once you can probably not do it again
> for a few months.  It depends on how much importing of new keys you
> do.  Either way, don't bother to do the slower --no-sig-cache
> variation of it again.  There is no need.

Wasn't planning on the --no-sig-cache part. And I end up importing
at least one key a day and often more because of the variety of
mailing lists that I follow. Maybe once a month would be enough...

> Do this:
> 
>   gpg --no --batch --check-trustdb
> 
> That will only do a check if it needs one.

Right. I even read that in the man page earlier today and made a
mental note to do so, but I forgot when I got back to it this
evening.

> I'm sort of glad it happened (not the scare part), as I was able to
> fix the bug.  When 1.2.2 comes out it will be safe to rebuild the
> cache and import keys at the same time.  Note that even in the current
> version it is safe to do a --check-trustdb and import keys at the same
> time.  The bug is only in --rebuild-keydb-caches.

I guess I was also worried about cranking up another --check-trustdb
automatically on --verify in mutt, but my --no-auto-check-trustdb
should prevent that.

[1] Humorous: googling for:
  penny-arcade "in the beanbag"
actually found this. I was afraid I was going to have to go dig for
it. Oh, and in light of my comments earlier today: my apologies for
the title. I'm not either of the guys that writes that strip.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgp4R1TnN7J0A.pgp
Description: PGP signature