Why does gpg -k write to tofu.db?

Werner Koch wk at gnupg.org
Tue Aug 25 16:03:24 CEST 2020

On Tue, 11 Aug 2020 14:56, Brian Minton said:

> Why does gpg -k need to write to the tofu db?  I should mention that gpg
> is running at 100% cpu in the R state.  Before starting the gpg -k

I was not able to replicate it but I must say that I don't have a large
useful tofu.db.  AFAICS, gpg sometimes updates the tofu.db to track
expired bindings.  You can have a closer look at hi8t by running

  gpg -k --debug trust

or to disable updates by using

  gpg -k --dry-run

I suspect that the TOFU database scheme is not well suited for large
number of keys.  In particular not if several gpg processes are running.
I also don't like that it stores meta data of all signatures ever

Revamping the tofu stuff is on my list but I have not yet found the time
(as usual).  The Tofu information should be stored along the key and not
in a separate database with all its transaction overhead.  The optional
keyboxd we will provide in 2.3 may help to solve the problems.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200825/98f6545b/attachment.sig>

More information about the Gnupg-users mailing list