ownertrust database cleared on gpg 2.1 key import

[Daniel Kahn Gillmor]

hi GnuPG folks--

It looks to me like gpg 2.1.0 is clearing parts of the ownertrust
database when used with the same homedir as 1.4.x.  There may be other
circumstances where ownertrust is cleared as well.

Consider a user who starts with a conversion to 2.1.0 over keys for
Alice and Bob.  so ~/.gnupg/.gpg-v21-migrated is present.

Then the user ("Ed") creates a new key for himself with gpg 1.4, and
imports keys for Carol and David (also with gpg 1.4).  The user (still
using 1.4) signs Carol and Bob's keys, and marks Carol with full
ownertrust, and Bob with marginal ownertrust.

at this point, gpg 1.4 knows the ownertrustdb looks like this:

$BOB:4:
$CAROL:5:
$ED:6:

But now the user tries to use gpg2, which only knows about Alice and
Bob's keys.  As a result, the user imports the keys:

 gpg --export | gpg2 --import

In doing this, gpg2 appears to actively clear the ownertrust values for
Carol and Ed's keys, leaving the user with no ultimately-trusted keys in
either version of gpg, 2.1 or 1.4.

This is particularly troubling, because:

 (a) it's difficult to notice that the trustdb has changed -- it's not
     an obvious scenario, and users can go hours or days without being
     aware that something is wrong.

and

 (b) Even if the user is aware of it, older versions of the trustdb do
     not appear to be backed up anywhere, and this is user-entered data
     that isn't stored anywhere else, so it's difficult or impossible to
     recover from.

So i guess one question is:

 * is it intentional for gpg2 to clear the trustdb entry for a key that
   it didn't have a copy of, but which was mentioned in the trustdb?

and if so, why -- and is that something that should change?

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20141107/8aa5e2ca/attachment.sig>