[Kde-pim] Review Request 124950: Kleo: Disable CRL checks for list all keys job

Andre Heinecke aheinecke at intevation.de
Fri Aug 28 08:15:16 BST 2015 


> On Aug. 27, 2015, 11:14 p.m., Sandro Knauß wrote:
> > CMakeLists.txt, line 66
> > <https://git.reviewboard.kde.org/r/124950/diff/1/?file=399337#file399337line66>
> >
> >     the version of GPGME is 1.6.0 and not 4.80.0, or where does this version comes from?

The variable name is Wrong there. This is the gpgmepp version required. This variable is used in find_package(KF5Gpgmepp ${GPGME_LIB_VERSION} ...
Ggpgmepp has a feature check for the get/set offline feature. So there is no hard requirement against gpgme-1.6.0


- Andre


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/124950/#review84498
-----------------------------------------------------------


On Aug. 27, 2015, 12:41 p.m., Andre Heinecke wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/124950/
> -----------------------------------------------------------
> 
> (Updated Aug. 27, 2015, 12:41 p.m.)
> 
> 
> Review request for KDEPIM.
> 
> 
> Bugs: 339385
>     http://bugs.kde.org/show_bug.cgi?id=339385
> 
> 
> Repository: kdepim
> 
> 
> Description
> -------
> 
> Not much code to review here but I'd like to get approval for this
> as this is a functionalty change.
> 
> Also is it enough to bump the required gpgmepp version or do
> I have to modify something else not to break kdesrc-build or the CI?
> 
> Rationale for this change:
> 
> On startup Kleopatra does a listAllKeysJob with validation
> to get all certificates GnuPG knows about.
> 
> We need to list keys in keylist mode validate to
> get trust and trustchain information for X509
> certificates. By default this includes CRL / OCSP
> checks. The new "offline" mode introduced with
> gpgsm 2.1.6 allows us to list all keys with validation
> but without consulting remote sources.
> 
> This speeds up the time until Kleopatra is usable
> as an application or as an UI Server drastically
> as CRL checks can be infinitley slow and old keyrings
> with a lot of certificates might also include a lot
> of broken CRL servers that would be queried until
> the fetch operation times out.
> 
> While disabling CRL checks looks like less security
> this should actually improve security as the usual
> workaround for this Bug was to disable-crl checks completely.
> Now they are still done when it's imporant
> (once a certificate is actually used). Also validating the
> complete keyring on startup might be considered a privacy leak,
> but thats a general problem with CRLs.
> 
> This setting (like mode validate) does not affect OpenPGP keylisting.
> 
> 
> While this is a bugfix it needs gpgme 1.6.0 (released yesterday)
> and gnupg 2.1.6 to work so I don't think it should be backported.
> 
> 
> Diffs
> -----
> 
>   CMakeLists.txt e38216e 
>   libkleo/backends/qgpgme/qgpgmebackend.cpp 02d451b 
> 
> Diff: https://git.reviewboard.kde.org/r/124950/diff/
> 
> 
> Testing
> -------
> 
> Using it myself for some time and it's part of gpg4win-2.2.5.
> 
> 
> Thanks,
> 
> Andre Heinecke
> 
>

_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/

More information about the kde-pim mailing list