Re: Bug#842291: notmuch processes frequently stuck in select()

Subject: Re: Bug#842291: notmuch processes frequently stuck in select()

Date: Wed, 23 Nov 2016 18:57:38 -0400

To: Daniel Kahn Gillmor, Brian May,, Robbie Harwood

Cc:, Debian GnuPG packaging

From: David Bremner

Daniel Kahn Gillmor <> writes:
>  0) turn off CRL updates entirely during s/mime signature verification
>  1) do s/mime signature verification without CRL updates, but schedule
>     CRL checks to happen in the background for dirmngr, so that future
>     verifications will reflect the cert validity
>  2) have dirmngr avoid checking CRLs that it knows it has already
>     updated recently
>  3) tell dirmngr to use much shorter CRL fetch timeouts

> Any thoughts on the best way to pursue this?
>     --dkg

Maybe the issue is in gmime's usage of gpgme. If I understand correctly
(which is far from a sure thing), pkcs7_verify calls gpgme_op_verify
which is synchronous, and (apparently) does not support timeouts. An
alternate strategy would be to call gpgme_op_verify_start, and then call
gpgme_wait, which has a nonblocking mode. I don't really understand the
S/MIME model, but naively it seems OK for signature verification to fail
if the CRL check doesn't finish quickly.