Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 04/03/2009 08:01 AM, Werner Koch wrote: > On Mon, 23 Mar 2009 21:17, d...@fifthhorseman.net said: > keys.gnupg.net is pretty new and I configure it manually. I poll the > keyservers every hour or so to see whether they are still responding and > send a mail if they don't response. Everything else is done by hand for > now. Let me know a list of bad SKS vesions and I remove the,s. Stats > are at http://keystats.gnupg.net . I guess I hould subscribe to the SKS > list as the old keyserver folks list seems to be dead. SKS 1.0.10 is the only version i feel should be excluded, due to its (mis)behavior when searching by keyID. Unfortunately, that rules out the majority of the keyservers in keys.gnupg.net and http-keys.gnupg.net Feel free to add zimmermann.mayfirst.org to both pools if you like: it listens on both 11371 and 80, and runs SKS 1.1.0. >> I wouldn't be surprised if it gives people the general impression that >> gpg or enigmail or keyservers or OpenPGP are just flakey tools. That > > Definitely more stable than any public X.509 infrastructure includig > those which are required by the German tax law for checking qualified > signatures on invoices ;-). Believe me, i agree with you! I was just commenting on the perception that someone might have coming to it for the first time, knowing that they need to pull down a key with a given keyid, and seeing what appears to be non-deterministic behavior from the keyservers. Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On Mon, 23 Mar 2009 21:17, d...@fifthhorseman.net said: > Who controls keys.gnupg.net? Werner? Do you have plans to do any > filtering like this? It seems like it would be useful to have a pool > that rejects hosts that at least admit to running versions with > significant known bugs. keys.gnupg.net is pretty new and I configure it manually. I poll the keyservers every hour or so to see whether they are still responding and send a mail if they don't response. Everything else is done by hand for now. Let me know a list of bad SKS vesions and I remove the,s. Stats are at http://keystats.gnupg.net . I guess I hould subscribe to the SKS list as the old keyserver folks list seems to be dead. > I wouldn't be surprised if it gives people the general impression that > gpg or enigmail or keyservers or OpenPGP are just flakey tools. That Definitely more stable than any public X.509 infrastructure includig those which are required by the German tax law for checking qualified signatures on invoices ;-). Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 2009-03-24 at 11:12 -0400, Daniel Kahn Gillmor wrote: > On 03/23/2009 07:05 PM, John Clizbe wrote: > > Folks may be holding back from upgrading because they don't want to > > upgrade their Berkeley DB version to 4.6. > > That does sound unpleasant. Who on the list has done this process? Has > anyone documented the necessary steps? Having clear documentation might > make such an event less intimidating, and encourage upgrades to > less-buggy versions. Me, the other day; I had been running with sks linked against db-4.4 because that's what it ended up with on initial install; when switching to Yaron's version of the IPv6 patch, I switched to db-4.7. I shut down the old sks, ran db_recover-4.4 against the DB directories (KDB & PTree) which replayed logs, etc, then started on the new sks, which did the logs in the new format. I don't think any of the rest of what I did affected upgrade; there's a db_upgrade-4.7 but I don't think it was needed for the format of DB used by sks -- my recollection is that it errored out, so I just started sks/db-4.7 and it turned out to be fine. Make sure you either run db_recover-$OLDVERSION as the sks runtime user, or if root that you chown the directories again afterwards; I did the former. Sorry, don't have the sks runtime user set up to keep persistent shell history and I didn't keep separate notes. -Phil pgp13qWt7y55Q.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On Mon, Mar 23, 2009 at 04:02:22PM -0400, David Shaw wrote: > The odd thing here is that version has been broken for at least 2 > years, as I reported the problem in 2006. Did nobody else notice, or > are there still a bunch of 1.0.9 SKSes out there? I went from 1.0.9 -> 1.1.0, skipping 1.0.10. --Jack -- Jack (John) Cummings http://mudshark.org/ PGP fingerprint: F18B 13A3 6D06 D48A 598D 42EA 3D53 BDC8 7917 F802 ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/23/2009 07:05 PM, John Clizbe wrote: > David Shaw wrote: >> None that I know of. Eventually, such a thing will be necessary, but >> it would have to be done via whoever controls the particular keyserver >> round-robin. > > Or convince the keyserver operators running 1.0.10 to upgrade to 1.1.0 > or 1.1.1 (if it's released by then) I think David's point was that if at least one keyserver operator refuses to be convinced, then such a mechanism may be the only way to deal with the situation. > Folks may be holding back from upgrading because they don't want to > upgrade their Berkeley DB version to 4.6. That does sound unpleasant. Who on the list has done this process? Has anyone documented the necessary steps? Having clear documentation might make such an event less intimidating, and encourage upgrades to less-buggy versions. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
David Shaw wrote: > On Sun, Mar 22, 2009 at 07:41:50PM -0400, Daniel Kahn Gillmor wrote: >> Given that this causes problems for users of gnupg, has any thought been >> given to requiring members of the keyserver pools to not run that >> version of SKS? keys.gnupg.net itself contains several keyservers >> running 1.0.10, which misbehave in response to standard gpg searches by >> keyid. > > None that I know of. Eventually, such a thing will be necessary, but > it would have to be done via whoever controls the particular keyserver > round-robin. Or convince the keyserver operators running 1.0.10 to upgrade to 1.1.0 or 1.1.1 (if it's released by then) Folks may be holding back from upgrading because they don't want to upgrade their Berkeley DB version to 4.6. > The odd thing here is that version has been broken for at least 2 > years, as I reported the problem in 2006. Did nobody else notice, or > are there still a bunch of 1.0.9 SKSes out there? 2-3 out of 40+ running 1.0.9 ~1/4 of the 40-something running 1.0.10 All the others are running 1.1.0. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/23/2009 04:02 PM, David Shaw wrote: > On Sun, Mar 22, 2009 at 07:41:50PM -0400, Daniel Kahn Gillmor wrote: >> has any thought been >> given to requiring members of the keyserver pools to not run that >> version of SKS? keys.gnupg.net itself contains several keyservers >> running 1.0.10, which misbehave in response to standard gpg searches by >> keyid. > > None that I know of. Eventually, such a thing will be necessary, but > it would have to be done via whoever controls the particular keyserver > round-robin. Kristian Fiskerstrand, i believe you're controlling pool.sks-keyservers.net -- do you have any plans to reject members running known-buggy versions? Who controls keys.gnupg.net? Werner? Do you have plans to do any filtering like this? It seems like it would be useful to have a pool that rejects hosts that at least admit to running versions with significant known bugs. Those of you who run keyserver pools: what software do you run to manage the DNS? Does it have the ability to reject by reported version? > The odd thing here is that version has been broken for at least 2 > years, as I reported the problem in 2006. Did nobody else notice, or > are there still a bunch of 1.0.9 SKSes out there? I agree that's pretty weird, but i think that most people don't understand OpenPGP well enough to know that a failed search by key ID is actually an error, or who to report it to if they see it (this is especially true when the details of who is responsible is hidden by round-robin DNS, and the problems seem intermittent). In fact, come to think of it, i saw behavior months ago which i now believe could be attributed to this; a friend searched for my key through enigmail by keyid, and couldn't find it. I second-guessed myself at the time, and thought that maybe you just can't search by keyid, and i'd been misremembering. I wouldn't be surprised if it gives people the general impression that gpg or enigmail or keyservers or OpenPGP are just flakey tools. That would be a shame, since a lot of infrastructure that i care about relies on them being non-flakey. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On Sun, Mar 22, 2009 at 11:38:57PM -0400, Daniel Kahn Gillmor wrote: > On 03/22/2009 10:29 PM, Yaron Minsky wrote: > > I'm really confused. People have piped in in both directions on this one, > > so does someone have the definitive story? Is 1.0.10 the one that behaves > > correctly, or 1.0.9? > > So far i haven't heard anyone claim that 1.0.10 works correctly. 1.1.0 > works correctly, and david shaw just pointed out that 1.0.9 works > correctly. I believe 1.0.10 is the only version with this particular bug. That is my understanding as well. 1.0.9 works. 1.0.10 does not. David ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On Sun, Mar 22, 2009 at 07:41:50PM -0400, Daniel Kahn Gillmor wrote: > On 03/22/2009 06:41 PM, David Shaw wrote: > > The 'exact=on' problem is specific to 1.0.10. It worked properly in 1.0.9. > > > > See: http://www.mail-archive.com/sks-devel@nongnu.org/msg00287.html > > Ah, thanks for the pointer, David. > > Given that this causes problems for users of gnupg, has any thought been > given to requiring members of the keyserver pools to not run that > version of SKS? keys.gnupg.net itself contains several keyservers > running 1.0.10, which misbehave in response to standard gpg searches by > keyid. None that I know of. Eventually, such a thing will be necessary, but it would have to be done via whoever controls the particular keyserver round-robin. The odd thing here is that version has been broken for at least 2 years, as I reported the problem in 2006. Did nobody else notice, or are there still a bunch of 1.0.9 SKSes out there? David ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
Sorry, this is all explained by me getting all confused with the version numbers. Ignore my last post (except to point out that a new release needs to come soon...) y 2009/3/22 Daniel Kahn Gillmor > On 03/22/2009 10:29 PM, Yaron Minsky wrote: > > I'm really confused. People have piped in in both directions on this > one, > > so does someone have the definitive story? Is 1.0.10 the one that > behaves > > correctly, or 1.0.9? > > So far i haven't heard anyone claim that 1.0.10 works correctly. 1.1.0 > works correctly, and david shaw just pointed out that 1.0.9 works > correctly. I believe 1.0.10 is the only version with this particular bug. > > > And yes, we should get a 1.0.11 release out soon. I was waiting for the > > IPv6 patch to settle down and for everyone to agree that it worked for > IPv4 > > and IPv6 installations alike. > > > do you mean you're hoping to release 1.1.1 soon? Or is there some sort > of branched development process going on? > >--dkg > > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > http://lists.nongnu.org/mailman/listinfo/sks-devel > > ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/22/2009 10:29 PM, Yaron Minsky wrote: > I'm really confused. People have piped in in both directions on this one, > so does someone have the definitive story? Is 1.0.10 the one that behaves > correctly, or 1.0.9? So far i haven't heard anyone claim that 1.0.10 works correctly. 1.1.0 works correctly, and david shaw just pointed out that 1.0.9 works correctly. I believe 1.0.10 is the only version with this particular bug. > And yes, we should get a 1.0.11 release out soon. I was waiting for the > IPv6 patch to settle down and for everyone to agree that it worked for IPv4 > and IPv6 installations alike. do you mean you're hoping to release 1.1.1 soon? Or is there some sort of branched development process going on? --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
I'm really confused. People have piped in in both directions on this one, so does someone have the definitive story? Is 1.0.10 the one that behaves correctly, or 1.0.9? And yes, we should get a 1.0.11 release out soon. I was waiting for the IPv6 patch to settle down and for everyone to agree that it worked for IPv4 and IPv6 installations alike. y 2009/3/22 Daniel Kahn Gillmor > On 03/22/2009 06:41 PM, David Shaw wrote: > > The 'exact=on' problem is specific to 1.0.10. It worked properly in > 1.0.9. > > > > See: http://www.mail-archive.com/sks-devel@nongnu.org/msg00287.html > > Ah, thanks for the pointer, David. > > Given that this causes problems for users of gnupg, has any thought been > given to requiring members of the keyserver pools to not run that > version of SKS? keys.gnupg.net itself contains several keyservers > running 1.0.10, which misbehave in response to standard gpg searches by > keyid. > >--dkg > > > ___ > Sks-devel mailing list > Sks-devel@nongnu.org > http://lists.nongnu.org/mailman/listinfo/sks-devel > > ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/22/2009 06:41 PM, David Shaw wrote: > The 'exact=on' problem is specific to 1.0.10. It worked properly in 1.0.9. > > See: http://www.mail-archive.com/sks-devel@nongnu.org/msg00287.html Ah, thanks for the pointer, David. Given that this causes problems for users of gnupg, has any thought been given to requiring members of the keyserver pools to not run that version of SKS? keys.gnupg.net itself contains several keyservers running 1.0.10, which misbehave in response to standard gpg searches by keyid. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On Mar 22, 2009, at 11:08 AM, Daniel Kahn Gillmor wrote: This makes me think that what we're seeing is a bug in older versions of SKS that could cause serious incompatibilities. The reason i found it was a report from a user who was having difficulty searching for keys from the keyservers by keyid. The 'exact=on' problem is specific to 1.0.10. It worked properly in 1.0.9. See: http://www.mail-archive.com/sks-devel@nongnu.org/msg00287.html David ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 2009-03-22 at 11:08 -0400, Daniel Kahn Gillmor wrote: > This makes me think that what we're seeing is a bug in older versions of > SKS that could cause serious incompatibilities. The reason i found it > was a report from a user who was having difficulty searching for keys > from the keyservers by keyid. Changelog for 1.1.0 contains: - Some small changes to index view Since this has gone from not working to working, it looks like change in the right direction. With some recent activity providing Yaron with the asked-for other maintenance, we might even see a 1.1.1 release sometime soon, with the memory consumption fix, dump fix, IPv6 support, membership reload fix, etc, making it an upgrade that we can nudge many operators to upgrade to. Provided that people *without* IPv6 support confirm that with the two IPv6 patches it still works once they "disable_ipv6:" in their config files. -Phil pgp2NxTtx9Bsn.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/22/2009 09:02 AM, Kim Minh Kaplan wrote: > Daniel Kahn Gillmor: > >> gpg generates an HTTP request like this: >> >> http://$foo:11371/pks/lookup?op=index&options=mr&search=0xD21739E9&exact=on > [...] >> What is the right way to handle this? > > The simplest solution would be to remove the "exact=on" parameter. That may work, but: * it's gpg generating that query, not me by hand, so i can't easily change it (and i certainly can't change it for everyone who i want to support). * the exact same query (with exact=on) *works* against SKS 1.1.0, and also against pgp.mit.edu, which reports itself as "pks_www/0.9.6" This makes me think that what we're seeing is a bug in older versions of SKS that could cause serious incompatibilities. The reason i found it was a report from a user who was having difficulty searching for keys from the keyservers by keyid. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
Daniel Kahn Gillmor: > gpg generates an HTTP request like this: > > http://$foo:11371/pks/lookup?op=index&options=mr&search=0xD21739E9&exact=on [...] > What is the right way to handle this? The simplest solution would be to remove the "exact=on" parameter. Kim Minh. ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
[Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
Hi folks-- I'm getting gpg failures when searching by keyid. For this example, i'll just use my own key id: gpg --keyserver $foo --search D21739E9 for keyservers using HKP, gpg generates an HTTP request like this: http://$foo:11371/pks/lookup?op=index&options=mr&search=0xD21739E9&exact=on Upsettingly, gpg sometimes indicates success, and sometimes failure with this exact same command, even if the keyserver name is the same, because the DNS round-robins over keyservers running different versions of sks. fwict, SKS 1.0.10 fails in response to this request, but 1.1.0 succeeds. All of the keyservers succeed in finding my key if i search by name. What i've found is that keyservers reporting header Server: sks_www/1.0.10 produce the following response: > HTTP/1.0 500 OK > Server: sks_www/1.0.10 > Content-type: text/html; charset=UTF-8 > > Error handling request\r\nError > handling requestError handling request: No keys found while keyservers running SKS 1.1.0 produce the expected response (HTTP return code 200, Content-Type text/plain, body consisting of a summary of my key information). Here is a list of keyservers (pulled from my DNS's current responses for keys.gnupg.net and pool.sks-keyservers.net) that are failing the above request (and all running sks 1.0.10, fwict): 194.171.167.147 minsky.surfnet.nl. 129.128.98.22 pgp.srv.ualberta.ca. 193.174.13.74 pgpkeys.pca.dfn.de. 62.48.35.100 lorien.prato.linux.it. 202.191.99.51 keyserver.oeg.com.au. 213.239.212.133 minbari.maluska.de. 130.206.1.8 gozer.rediris.es. If you control a keyserver running SKS 1.0.10 or earlier, could you try searching by key ID against your keyserver? If you are able to upgrade it and try again, does that resolve the issue? I don't know if people think this is serious enough to warrant changing membership in the pool, but at some point, a bug will be found that suggests that older versions should be rejected from the pool. Should the various keyserver pools have a mechanism to reject membership based on version? Or feature-based membership tests? What is the right way to handle this? --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel