[Pkg-gnupg-maint] Bug#739424: gnupg dies with "gpg: out of secure memory [...]" since 1.4.16-1

Marc Lehmann schmorp at schmorp.de
Wed Oct 1 18:01:45 UTC 2014 

On Wed, Oct 01, 2014 at 07:01:27PM +0200, Werner Koch <wk at gnupg.org> wrote:
> and 3072 DSA (as per standard).  If you hack the system or use a bug to
> create way larger keys you are on your own.

Werner, please don't accuse people of "hacking systems" or exploiting bugs
- people who used documented features in gnupg in the past, or features in
other implementations run into this issue just as well.

It doesn't do you well to reduce these people to those having done
something weird. Some might have legitimate reasons, too - the most
obvious reason is that long RSA keys are expected to last longer against
quantum computer attacks (whether this will turn out to be true, or not,
or unneeded is not something we can know today).

And regarding elliptic curves - you are surely aware that it is mostly
gnupg that kept elliptic curves back in the openpgp arena.

> > The fix would be trivial without sacrificing any security.
> 
> It is sometimes better not to fix things.

Well, obviously not in this case.

> In this case I do not want to help the race to more and more stupid key
> properties.  If there is a problem with an 8k RSA key I am willing to
> help, but somewhere we have to stop.

Werner, you repeatedly call these key sizes stupid, even though I have
shown that professional crypto experts disagree with that (do any agree
with you?). What's the point? Just because you (a non-cryptographer¹)
thinks these are stupid doesn't make them so.

You are _of course_ entitled to your opinion, but it's really just an
opinion that is in disagreement with the experts in the field.

That's not a basis for good crypto, and certainly not a good reason not to
fix this in Debian GNU/Linux.

(1) I certainly respect you for your cryptographic knowledge, as a
coder, and certainly as a human being with interesting input, but we
both maintain GNU crypto software, and we are both "just" coders, not
cryptography professionals.

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\

More information about the Pkg-gnupg-maint mailing list