documenting trouble with two keyring arrangement.

author Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Mon, 15 Sep 2008 01:41:18 +0000 (21:41 -0400)

committer Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Mon, 15 Sep 2008 01:41:18 +0000 (21:41 -0400)
author Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Mon, 15 Sep 2008 01:41:18 +0000 (21:41 -0400)
committer Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Mon, 15 Sep 2008 01:41:18 +0000 (21:41 -0400)
diff --git a/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn b/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn

new file mode 100644 (file)

index 0000000..65268c5
--- /dev/null
+++ b/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn
@@ -0,0 +1,24 @@
+[[meta title="Problems with root-owned gpg keyrings"]]
+
+`/var/lib/monkeysphere/gnupg-host/` is root-owned, and the public
+keyring in that directory is controlled by the superuser.
+
+We currently expect the `monkeysphere` user to read from (but not
+write to) that keyring.  But using a keyring in a directory that you
+don't control appears to trigger [a subtle bug in
+gpg](http://bugs.debian.org/361539) that has been unresolved for quite
+a long time.
+
+With some of the new error checking i'm doing in
+`monkeysphere-server`, typical operations that involve both keyrings
+as the non-privileged user can fail with an error message like:
+
+    gpg: failed to rebuild keyring cache: file open error
+
+Running the relevant operation a second time as the same user usually
+lets things go through without a failure, but this seems like it would
+be hiding a bug, rather than getting it fixed correctly.
+
+Are there other ways we can deal with this problem?
+
+--dkg
author	Daniel Kahn Gillmor <dkg@fifthhorseman.net>
	Mon, 15 Sep 2008 01:41:18 +0000 (21:41 -0400)
committer	Daniel Kahn Gillmor <dkg@fifthhorseman.net>
	Mon, 15 Sep 2008 01:41:18 +0000 (21:41 -0400)