signature-flooded keys: introduce import-filter (gpg >= 2.1.15) or ask for gpg upgrade (gpg < 2.1.15)
We had a discussion in !291 (closed) about possible mitigations given the current situation in regard to the signature-flooded keys.
So the biggest problem with both import-options is that they apparently were released with gpg v2.1.4. Schleuder v3.4 supports gpg >= 2.0. To use those options would be a breaking change.
Besides they don't help that well: importing C4BC2DDB38CCE96485EBE9C2F20691179038E5C6 (dkg's flooded key) into an old-style keyring with either of those options takes >11 minutes on my laptop, most of that time eating a whole CPU core. Also after the import encrypting to that key takes ~33 seconds. Those numbers do not indicate a good solution, I think.
What works better is using an import-filter that drops all non-self-signatures:
--import-filter drop-sig="sig_created_d > 0000-00-00"
. Importing the key with this option takes 50-55 seconds, encrypting to it takes 0.035-0.045 seconds. That is tolerable, I'd say. (Losing access to new non-self-signatures is not a big problem for Schleuder, I'd say. We usealways-trust
anyway.)
Problem is: that options was only added in gpg v2.1.15. We can't introduce that feature mandatorily in Schleuder v3.4, either.
What we could do it use that filter if the gpg version is recent enough, and put (or send) out big warnings in case it is older. In my eyes that might be the best technical option.
[...]
I guess if we all agree that this is a good plan, let's do this. I've set the milestone to %3.4.1.