[pkg-gnupg-maint] Bug#842291: notmuch processes frequently stuck in select()

Werner Koch wk at gnupg.org
Thu Nov 24 23:18:56 UTC 2016


On Wed, 23 Nov 2016 18:19, dkg at fifthhorseman.net said:

>  0) turn off CRL updates entirely during s/mime signature verification

The gpgsm option is --disable-crl-checks.  

>  1) do s/mime signature verification without CRL updates, but schedule
>     CRL checks to happen in the background for dirmngr, so that future
>     verifications will reflect the cert validity

As above but use 

  dirmngr-client--url --load-crl URLOFCRL

You need to known the URL of the CRL, though.

>  2) have dirmngr avoid checking CRLs that it knows it has already
>     updated recently

A CRL carries a next-update date which is homored by dirmngr.  Further
dirmngr doesn't avoids to download a CRL unless 30 minutes have passed
since the lassed download.

>  3) tell dirmngr to use much shorter CRL fetch timeouts

gpgsm -k  --enable-crl-check --force-crl-refresh  USERID

> that's a 20-second lag between each failed check, adding up to 80

That seems to be caused by DNS lookups.  For example ADNS keeps on
trying even if it has received an ENETUNREACH and thus no UDP query
packet has been sent out.   We will very likely replace ADNS by a more
flexible library in the next GnuPG version.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161125/277d6c83/attachment.sig>


More information about the pkg-gnupg-maint mailing list