[Pkg-gnupg-maint] Bug#739424: gnupg dies with "gpg: out of secure memory [...]" since 1.4.16-1

Marc Lehmann schmorp at schmorp.de
Tue Sep 30 04:56:02 UTC 2014 

Werner, I find your reply disingenious - I cannot believe that you are not
aware that what you are writing is misleading and/or outright wrong.

On Mon, Sep 29, 2014 at 08:58:26AM +0200, Werner Koch <wk at gnupg.org> wrote:
> > NIST 2012 also recommends similar key sizes (15360 bits).
> 
> These are only projections to show that there is a need to switch to EC
> keys.

That might be your interpretation of the intent of their recommendations
(specifically, SP 800/57), but the facts still remain that experts do
not agree with you (disagreeing with your own claims). It also doesn't
invalidate the opinion of the other expert opinions provided (which you
have conveniently left out of your reply).

> > It is also against the GNU coding standards to have arbitrary limits such
> > as these. ("Avoid arbitrary limits on the length or number of any data
> 
> The GNU standards partly recommend ideas dating back to a time the
> Internet was young and innocent.  Nowadays connecting a box to the
> Internet means to vulnerable to a wide range of of attacks.

This is a strawman argument - which attacks would gnupg open itself up if
it increased the limit to be sufficient for longer keysizes recommended
by many crpytographic researchers, as requested in this ticket?

> Having no limits on input data and allocating buffer dynamically is a an
> easy way to DoS a service.

Again a strawman - firstly, gnupg can support the recommended keysizes
without dynamically allocating a buffer, and secondly, gnupg already
allocates the buffer in question dynamically. It simply places an
arbitrary (and very low) limit on the buffer.

> If you look at GnuPG code you will notice that there is no silent
> truncation of lines.

Werner, go and read the it: It says "any data structure", not "just
line lengths". I am sure you already know that, but why this disingenuous
comment about line lengths?

This bug report is not about line lengths, but about arbitrary limits.

You have provided zero evidence in favour of not fixing this bug, but
instead only strawmen and misleading arguments. I can only conclude that
you do not want fix this bug, keeping keysizes in gnupg arbitrarily low
for your own private reasons.

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\

More information about the Pkg-gnupg-maint mailing list