Re: [Savannah-hackers-public] long GPG keys

[Bob Proulx]

Hi Ineive,

Ineiev wrote:
> Currently the 'gpg_key' colunm of the 'user' table has the 'text'
> type, this means 64k character limit.  Some users attempted
> to register longer GPG keys, and they were truncated.

Longer than 64K!  That seems very long to me.  This feels to me
(without looking) that they must be including something more in that
key upload than they should be including.  For example I have an
rsa4096 gpg key.  When exported using gpg 2.2.12 the resulting ascii
armored key size is 10987 bytes.  That would still comfortably fit
within the 64k text size limit.

I fear that people may be exporting their key incorrectly.  That
instead of the suggested command:

  Insert your (ASCII) public key here (made with gpg --export --armor KEYID):

Perhaps they are exporting their entire keyring?  When I leave off the
keyid and export my entire keyring my keyring is 77M in size.  I could
definitely imagine an unfamiliar user doing this and exporting their
entire keyring instead of just their own key.  And if they were a new
user unfamiliar with the process they might perhaps only have only a
few other keys and the entire size might be only modestly larger than
64K in size.

> I think this could be fixed with
> 'alter table user modify gpg_key mediumtext'
> (at least, it worked for the test instance at
> https://i18n.frontend0.savannah.gnu.org).
> 
> Can there be reasons _not_ to do that?

Obviously in the above I am hoping for more digging into what is in
those large keys.  Becuase I think this should not be needed and that
something else is wrong.

But taking the question literally (just me being pedantic) the reason
not to do that is that:

+ It could cover up a key dump usage problem.
+ It could pollute the database with very large (useless) blobs making
the db harder to manage.
+ It could become known to malicious users as a location to store
arbitrarily large files.

Thank you for digging into this! :-)

Bob

signature.asc
Description: PGP signature