Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On Mon, 23 Mar 2009 21:17, d...@fifthhorseman.net said: Who controls keys.gnupg.net? Werner? Do you have plans to do any filtering like this? It seems like it would be useful to have a pool that rejects hosts that at least admit to running versions with significant known bugs. keys.gnupg.net is pretty new and I configure it manually. I poll the keyservers every hour or so to see whether they are still responding and send a mail if they don't response. Everything else is done by hand for now. Let me know a list of bad SKS vesions and I remove the,s. Stats are at http://keystats.gnupg.net . I guess I hould subscribe to the SKS list as the old keyserver folks list seems to be dead. I wouldn't be surprised if it gives people the general impression that gpg or enigmail or keyservers or OpenPGP are just flakey tools. That Definitely more stable than any public X.509 infrastructure includig those which are required by the German tax law for checking qualified signatures on invoices ;-). Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 04/03/2009 08:01 AM, Werner Koch wrote: On Mon, 23 Mar 2009 21:17, d...@fifthhorseman.net said: keys.gnupg.net is pretty new and I configure it manually. I poll the keyservers every hour or so to see whether they are still responding and send a mail if they don't response. Everything else is done by hand for now. Let me know a list of bad SKS vesions and I remove the,s. Stats are at http://keystats.gnupg.net . I guess I hould subscribe to the SKS list as the old keyserver folks list seems to be dead. SKS 1.0.10 is the only version i feel should be excluded, due to its (mis)behavior when searching by keyID. Unfortunately, that rules out the majority of the keyservers in keys.gnupg.net and http-keys.gnupg.net Feel free to add zimmermann.mayfirst.org to both pools if you like: it listens on both 11371 and 80, and runs SKS 1.1.0. I wouldn't be surprised if it gives people the general impression that gpg or enigmail or keyservers or OpenPGP are just flakey tools. That Definitely more stable than any public X.509 infrastructure includig those which are required by the German tax law for checking qualified signatures on invoices ;-). Believe me, i agree with you! I was just commenting on the perception that someone might have coming to it for the first time, knowing that they need to pull down a key with a given keyid, and seeing what appears to be non-deterministic behavior from the keyservers. Regards, --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/23/2009 07:05 PM, John Clizbe wrote: David Shaw wrote: None that I know of. Eventually, such a thing will be necessary, but it would have to be done via whoever controls the particular keyserver round-robin. Or convince the keyserver operators running 1.0.10 to upgrade to 1.1.0 or 1.1.1 (if it's released by then) I think David's point was that if at least one keyserver operator refuses to be convinced, then such a mechanism may be the only way to deal with the situation. Folks may be holding back from upgrading because they don't want to upgrade their Berkeley DB version to 4.6. That does sound unpleasant. Who on the list has done this process? Has anyone documented the necessary steps? Having clear documentation might make such an event less intimidating, and encourage upgrades to less-buggy versions. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 2009-03-24 at 11:12 -0400, Daniel Kahn Gillmor wrote: On 03/23/2009 07:05 PM, John Clizbe wrote: Folks may be holding back from upgrading because they don't want to upgrade their Berkeley DB version to 4.6. That does sound unpleasant. Who on the list has done this process? Has anyone documented the necessary steps? Having clear documentation might make such an event less intimidating, and encourage upgrades to less-buggy versions. Me, the other day; I had been running with sks linked against db-4.4 because that's what it ended up with on initial install; when switching to Yaron's version of the IPv6 patch, I switched to db-4.7. I shut down the old sks, ran db_recover-4.4 against the DB directories (KDB PTree) which replayed logs, etc, then started on the new sks, which did the logs in the new format. I don't think any of the rest of what I did affected upgrade; there's a db_upgrade-4.7 but I don't think it was needed for the format of DB used by sks -- my recollection is that it errored out, so I just started sks/db-4.7 and it turned out to be fine. Make sure you either run db_recover-$OLDVERSION as the sks runtime user, or if root that you chown the directories again afterwards; I did the former. Sorry, don't have the sks runtime user set up to keep persistent shell history and I didn't keep separate notes. -Phil pgp13qWt7y55Q.pgp Description: PGP signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
Sorry, this is all explained by me getting all confused with the version numbers. Ignore my last post (except to point out that a new release needs to come soon...) y 2009/3/22 Daniel Kahn Gillmor d...@fifthhorseman.net On 03/22/2009 10:29 PM, Yaron Minsky wrote: I'm really confused. People have piped in in both directions on this one, so does someone have the definitive story? Is 1.0.10 the one that behaves correctly, or 1.0.9? So far i haven't heard anyone claim that 1.0.10 works correctly. 1.1.0 works correctly, and david shaw just pointed out that 1.0.9 works correctly. I believe 1.0.10 is the only version with this particular bug. And yes, we should get a 1.0.11 release out soon. I was waiting for the IPv6 patch to settle down and for everyone to agree that it worked for IPv4 and IPv6 installations alike. do you mean you're hoping to release 1.1.1 soon? Or is there some sort of branched development process going on? --dkg ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On Sun, Mar 22, 2009 at 11:38:57PM -0400, Daniel Kahn Gillmor wrote: On 03/22/2009 10:29 PM, Yaron Minsky wrote: I'm really confused. People have piped in in both directions on this one, so does someone have the definitive story? Is 1.0.10 the one that behaves correctly, or 1.0.9? So far i haven't heard anyone claim that 1.0.10 works correctly. 1.1.0 works correctly, and david shaw just pointed out that 1.0.9 works correctly. I believe 1.0.10 is the only version with this particular bug. That is my understanding as well. 1.0.9 works. 1.0.10 does not. David ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/23/2009 04:02 PM, David Shaw wrote: On Sun, Mar 22, 2009 at 07:41:50PM -0400, Daniel Kahn Gillmor wrote: has any thought been given to requiring members of the keyserver pools to not run that version of SKS? keys.gnupg.net itself contains several keyservers running 1.0.10, which misbehave in response to standard gpg searches by keyid. None that I know of. Eventually, such a thing will be necessary, but it would have to be done via whoever controls the particular keyserver round-robin. Kristian Fiskerstrand, i believe you're controlling pool.sks-keyservers.net -- do you have any plans to reject members running known-buggy versions? Who controls keys.gnupg.net? Werner? Do you have plans to do any filtering like this? It seems like it would be useful to have a pool that rejects hosts that at least admit to running versions with significant known bugs. Those of you who run keyserver pools: what software do you run to manage the DNS? Does it have the ability to reject by reported version? The odd thing here is that version has been broken for at least 2 years, as I reported the problem in 2006. Did nobody else notice, or are there still a bunch of 1.0.9 SKSes out there? I agree that's pretty weird, but i think that most people don't understand OpenPGP well enough to know that a failed search by key ID is actually an error, or who to report it to if they see it (this is especially true when the details of who is responsible is hidden by round-robin DNS, and the problems seem intermittent). In fact, come to think of it, i saw behavior months ago which i now believe could be attributed to this; a friend searched for my key through enigmail by keyid, and couldn't find it. I second-guessed myself at the time, and thought that maybe you just can't search by keyid, and i'd been misremembering. I wouldn't be surprised if it gives people the general impression that gpg or enigmail or keyservers or OpenPGP are just flakey tools. That would be a shame, since a lot of infrastructure that i care about relies on them being non-flakey. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
David Shaw wrote: On Sun, Mar 22, 2009 at 07:41:50PM -0400, Daniel Kahn Gillmor wrote: Given that this causes problems for users of gnupg, has any thought been given to requiring members of the keyserver pools to not run that version of SKS? keys.gnupg.net itself contains several keyservers running 1.0.10, which misbehave in response to standard gpg searches by keyid. None that I know of. Eventually, such a thing will be necessary, but it would have to be done via whoever controls the particular keyserver round-robin. Or convince the keyserver operators running 1.0.10 to upgrade to 1.1.0 or 1.1.1 (if it's released by then) Folks may be holding back from upgrading because they don't want to upgrade their Berkeley DB version to 4.6. The odd thing here is that version has been broken for at least 2 years, as I reported the problem in 2006. Did nobody else notice, or are there still a bunch of 1.0.9 SKSes out there? 2-3 out of 40+ running 1.0.9 ~1/4 of the 40-something running 1.0.10 All the others are running 1.1.0. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/22/2009 09:02 AM, Kim Minh Kaplan wrote: Daniel Kahn Gillmor: gpg generates an HTTP request like this: http://$foo:11371/pks/lookup?op=indexoptions=mrsearch=0xD21739E9exact=on [...] What is the right way to handle this? The simplest solution would be to remove the exact=on parameter. That may work, but: * it's gpg generating that query, not me by hand, so i can't easily change it (and i certainly can't change it for everyone who i want to support). * the exact same query (with exact=on) *works* against SKS 1.1.0, and also against pgp.mit.edu, which reports itself as pks_www/0.9.6 This makes me think that what we're seeing is a bug in older versions of SKS that could cause serious incompatibilities. The reason i found it was a report from a user who was having difficulty searching for keys from the keyservers by keyid. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On Mar 22, 2009, at 11:08 AM, Daniel Kahn Gillmor wrote: This makes me think that what we're seeing is a bug in older versions of SKS that could cause serious incompatibilities. The reason i found it was a report from a user who was having difficulty searching for keys from the keyservers by keyid. The 'exact=on' problem is specific to 1.0.10. It worked properly in 1.0.9. See: http://www.mail-archive.com/sks-devel@nongnu.org/msg00287.html David ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/22/2009 06:41 PM, David Shaw wrote: The 'exact=on' problem is specific to 1.0.10. It worked properly in 1.0.9. See: http://www.mail-archive.com/sks-devel@nongnu.org/msg00287.html Ah, thanks for the pointer, David. Given that this causes problems for users of gnupg, has any thought been given to requiring members of the keyserver pools to not run that version of SKS? keys.gnupg.net itself contains several keyservers running 1.0.10, which misbehave in response to standard gpg searches by keyid. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
I'm really confused. People have piped in in both directions on this one, so does someone have the definitive story? Is 1.0.10 the one that behaves correctly, or 1.0.9? And yes, we should get a 1.0.11 release out soon. I was waiting for the IPv6 patch to settle down and for everyone to agree that it worked for IPv4 and IPv6 installations alike. y 2009/3/22 Daniel Kahn Gillmor d...@fifthhorseman.net On 03/22/2009 06:41 PM, David Shaw wrote: The 'exact=on' problem is specific to 1.0.10. It worked properly in 1.0.9. See: http://www.mail-archive.com/sks-devel@nongnu.org/msg00287.html Ah, thanks for the pointer, David. Given that this causes problems for users of gnupg, has any thought been given to requiring members of the keyserver pools to not run that version of SKS? keys.gnupg.net itself contains several keyservers running 1.0.10, which misbehave in response to standard gpg searches by keyid. --dkg ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] problems with SKS 1.0.10 when searching by key ID from GnuPG
On 03/22/2009 10:29 PM, Yaron Minsky wrote: I'm really confused. People have piped in in both directions on this one, so does someone have the definitive story? Is 1.0.10 the one that behaves correctly, or 1.0.9? So far i haven't heard anyone claim that 1.0.10 works correctly. 1.1.0 works correctly, and david shaw just pointed out that 1.0.9 works correctly. I believe 1.0.10 is the only version with this particular bug. And yes, we should get a 1.0.11 release out soon. I was waiting for the IPv6 patch to settle down and for everyone to agree that it worked for IPv4 and IPv6 installations alike. do you mean you're hoping to release 1.1.1 soon? Or is there some sort of branched development process going on? --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/sks-devel
