[pkg-gnupg-maint] Bug#842291: notmuch processes frequently stuck in select()
Werner Koch
wk at gnupg.org
Thu Nov 24 23:18:56 UTC 2016
On Wed, 23 Nov 2016 18:19, dkg at fifthhorseman.net said:
> 0) turn off CRL updates entirely during s/mime signature verification
The gpgsm option is --disable-crl-checks.
> 1) do s/mime signature verification without CRL updates, but schedule
> CRL checks to happen in the background for dirmngr, so that future
> verifications will reflect the cert validity
As above but use
dirmngr-client--url --load-crl URLOFCRL
You need to known the URL of the CRL, though.
> 2) have dirmngr avoid checking CRLs that it knows it has already
> updated recently
A CRL carries a next-update date which is homored by dirmngr. Further
dirmngr doesn't avoids to download a CRL unless 30 minutes have passed
since the lassed download.
> 3) tell dirmngr to use much shorter CRL fetch timeouts
gpgsm -k --enable-crl-check --force-crl-refresh USERID
> that's a 20-second lag between each failed check, adding up to 80
That seems to be caused by DNS lookups. For example ADNS keeps on
trying even if it has received an ENETUNREACH and thus no UDP query
packet has been sent out. We will very likely replace ADNS by a more
flexible library in the next GnuPG version.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161125/277d6c83/attachment.sig>
More information about the pkg-gnupg-maint
mailing list