Re: [pkg-gnupg-maint] Bug#842291: notmuch processes frequently stuck in select()

Subject: Re: [pkg-gnupg-maint] Bug#842291: notmuch processes frequently stuck in select()

Date: Fri, 25 Nov 2016 00:18:56 +0100

To: Daniel Kahn Gillmor

Cc: David Bremner, Brian May,, Robbie Harwood,, Debian GnuPG packaging

From: Werner Koch

On Wed, 23 Nov 2016 18:19, said:

>  0) turn off CRL updates entirely during s/mime signature verification

The gpgsm option is --disable-crl-checks.  

>  1) do s/mime signature verification without CRL updates, but schedule
>     CRL checks to happen in the background for dirmngr, so that future
>     verifications will reflect the cert validity

As above but use 

  dirmngr-client--url --load-crl URLOFCRL

You need to known the URL of the CRL, though.

>  2) have dirmngr avoid checking CRLs that it knows it has already
>     updated recently

A CRL carries a next-update date which is homored by dirmngr.  Further
dirmngr doesn't avoids to download a CRL unless 30 minutes have passed
since the lassed download.

>  3) tell dirmngr to use much shorter CRL fetch timeouts

gpgsm -k  --enable-crl-check --force-crl-refresh  USERID

> that's a 20-second lag between each failed check, adding up to 80

That seems to be caused by DNS lookups.  For example ADNS keeps on
trying even if it has received an ENETUNREACH and thus no UDP query
packet has been sent out.   We will very likely replace ADNS by a more
flexible library in the next GnuPG version.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
part-000.sig (application/pgp-signature)