Managing the WoT with GPG

Peter Lebbing peter at
Fri Jun 23 17:56:18 CEST 2017

On 23/06/17 15:50, Neal H. Walfield wrote:
> Ensuring that a cache is consistent is *hard*.  I don't think we want
> to add complexity (nevermind a cache!) to this security-critical
> functionality.

There are two hard problems in computer science: Cache invalidation,
naming things, and off-by-one errors.

Martin, I think --no-auto-check-trustdb and a cron job will already make
it much more bearable, with the current state of things. That's what I'd

Other than that, I don't think my outlined strategy is very complex, it
basically boils down to not actually checking a signature until it is
used to compute validity, and stop for a specific key when full validity
is reached. I could be wrong though. It just doesn't seem like it should
be high on a TODO list, which in practice probably means it won't be
done. If the cron job wasn't available as an option, the situation would
be different.


PS: I didn't come up with "There are two..." but I can't be arsed to
look up proper attribution :-).

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170623/61fb1667/attachment.sig>

More information about the Gnupg-users mailing list