Re: Building SKS on Alpine Linux 3.12 with ocaml 4.08

[Ángel]

On 2020-10-14 at 21:05 -0700, Todd Fleisher wrote:
> I personally recommend an Ubuntu 18.04LTS system, using the somewhat
> patched package found @ 
> https://launchpad.net/~canonical-sysadmins/+archive/ubuntu/sks-public/+packages
>  to protect against the so-called “poison keys” that will almost
> certainly cause your system to be unstable & use much more bandwidth
> & IO than is necessary. This path will render compilation
> unnecessary.
> 
> -T

First of all, those patches protect against a single poison key,
0xE41ED3A107A7DBC7. By skipping the merge of changes to it, I think.

Second, this may actually not be a good idea at all. sks key
reconciliation works by having two servers with different contents for
a "file" end up with the same one. If one of the parties is picky and
reject some keys the other has, the system might fall apart.
Ideally, a rejection of certain keys would have to be network-wide.
Otherwise, the reconciliation could fail, or the servers might be
continuously retrying that key which is actually rejected by the other
party. I'm not sure if this is actually a problem with this patch (I
hope someone better understanding the protocol can chime in and
explain), but seems a reason for concern.
Also, I expect that if you started from a dump which already has the
forbidden key, this patch was probably a no-op and that reconciliation
issue would go unnoticed.


Best regards