GNU bug report logs - #62294
gnupg is pinned at 2.2.32 for bug that is fixed upstream

Previous Next

Package: guix;

Reported by: Ethan Blanton <elb <at> kb8ojh.net>

Date: Mon, 20 Mar 2023 13:02:01 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62294 in the body.
You can then email your comments to 62294 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Mon, 20 Mar 2023 13:02:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ethan Blanton <elb <at> kb8ojh.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Mon, 20 Mar 2023 13:02:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ethan Blanton <elb <at> kb8ojh.net>
To: bug-guix <at> gnu.org
Subject: gnupg is pinned at 2.2.32 for bug that is fixed upstream
Date: Mon, 20 Mar 2023 09:01:33 -0400

It looks like the gnupg package is pinned at 2.2.32 with the following
note:

    ;; Note2: 2.2.33 currently suffers from regressions, so do not update to it
    ;; (see: https://dev.gnupg.org/T5742).

However, the bug referenced here is fixed in upstream commit
4cc724639c012215f59648cbb4b7631b9d352e36, which shipped in gnupg
2.2.34.  Meanwhile, all gnupg releases older than 2.2.35 suffer from
an S/MIME key-parsing bug (referenced in
https://www.mail-archive.com/gnupg-users <at> gnupg.org/msg40758.html).

I believe the pin on 2.2.32 can be lifted, but as gnupg is important
infrastructure I am unsure about directly submitting a patch to update
to a newer version.

Ethan
Information forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Tue, 04 Apr 2023 11:52:03 GMT) Full text and rfc822 format available.

Message #8 received at 62294 <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Ethan Blanton <elb <at> kb8ojh.net>, 62294 <at> debbugs.gnu.org
Subject: Re: bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed
 upstream
Date: Tue, 04 Apr 2023 11:48:31 +0200

Hi,

On Mon, 20 Mar 2023 at 09:01, Ethan Blanton via Bug reports for GNU Guix <bug-guix <at> gnu.org> wrote:
> I believe the pin on 2.2.32 can be lifted, but as gnupg is important
> infrastructure I am unsure about directly submitting a patch to update
> to a newer version.

Well, graft does not seem recommended because it would update to two
versions.  And update the package would be a core-updates.

Well, maybe it could be of the current core-updates dance.  Could you
send a patch for core-updates?


Cheers,
simon
Information forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Tue, 04 Apr 2023 16:24:02 GMT) Full text and rfc822 format available.

Message #11 received at 62294 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Simon Tournier <zimon.toutoune <at> gmail.com>
Cc: Ethan Blanton <elb <at> kb8ojh.net>, 62294 <at> debbugs.gnu.org
Subject: Re: bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed
 upstream
Date: Tue, 4 Apr 2023 12:23:39 -0400

On Tue, Apr 04, 2023 at 11:48:31AM +0200, Simon Tournier wrote:
> On Mon, 20 Mar 2023 at 09:01, Ethan Blanton via Bug reports for GNU Guix <bug-guix <at> gnu.org> wrote:
> > I believe the pin on 2.2.32 can be lifted, but as gnupg is important
> > infrastructure I am unsure about directly submitting a patch to update
> > to a newer version.

Thanks for letting us know!

> Well, graft does not seem recommended because it would update to two
> versions.  And update the package would be a core-updates.
> 
> Well, maybe it could be of the current core-updates dance.  Could you
> send a patch for core-updates?

GnuPG does have a large number of dependent packages, but I'd argue
that's either 1) a bug or 2) something we should ignore and update
freely. It's a critical package, and did not used to have such a large
number of dependents. It's really a problem for the distro if we don't
allow ourselves to update packages like this freely.
Information forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Tue, 04 Apr 2023 16:34:01 GMT) Full text and rfc822 format available.

Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ethan Blanton via Bug reports for GNU Guix <bug-guix <at> gnu.org>
Cc: 62294 <at> debbugs.gnu.org
Subject: Re: bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed
 upstream
Date: Tue, 4 Apr 2023 12:33:36 -0400

On Mon, Mar 20, 2023 at 09:01:33AM -0400, Ethan Blanton via Bug reports for GNU Guix wrote:
> However, the bug referenced here is fixed in upstream commit
> 4cc724639c012215f59648cbb4b7631b9d352e36, which shipped in gnupg
> 2.2.34.  Meanwhile, all gnupg releases older than 2.2.35 suffer from
> an S/MIME key-parsing bug (referenced in
> https://www.mail-archive.com/gnupg-users <at> gnupg.org/msg40758.html).

Does this bug have a CVE ID, or any information from upstream about
where it was fixed? It's hard to find release notes on the GnuPG
website.
Information forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Tue, 04 Apr 2023 16:34:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Tue, 04 Apr 2023 17:33:02 GMT) Full text and rfc822 format available.

Message #20 received at 62294 <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: Ethan Blanton <elb <at> kb8ojh.net>, 62294 <at> debbugs.gnu.org
Subject: Re: bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed
 upstream
Date: Tue, 04 Apr 2023 19:31:47 +0200

Hi Leo,

On Tue, 04 Apr 2023 at 12:23, Leo Famulari <leo <at> famulari.name> wrote:

>> Well, graft does not seem recommended because it would update to two
>> versions.  And update the package would be a core-updates.
>> 
>> Well, maybe it could be of the current core-updates dance.  Could you
>> send a patch for core-updates?
>
> GnuPG does have a large number of dependent packages, but I'd argue
> that's either 1) a bug or 2) something we should ignore and update
> freely. It's a critical package, and did not used to have such a large
> number of dependents. It's really a problem for the distro if we don't
> allow ourselves to update packages like this freely.

Maybe I am doing something wrong, I get:

--8<---------------cut here---------------start------------->8---
$ guix refresh -l gnupg | cut -f1 -d':'
Building the following 1491 packages would ensure 2880 dependent packages are rebuilt
--8<---------------cut here---------------end--------------->8---

So the impact is ~10% of all the packages.  From a quick look, some
packages are intensive to rebuild, to my knowledge.

Are you proposing to graft?


Cheers,
simon
Information forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Wed, 05 Apr 2023 01:28:01 GMT) Full text and rfc822 format available.

Message #23 received at 62294 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Simon Tournier <zimon.toutoune <at> gmail.com>
Cc: Ethan Blanton <elb <at> kb8ojh.net>, 62294 <at> debbugs.gnu.org
Subject: Re: bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed
 upstream
Date: Tue, 4 Apr 2023 21:27:18 -0400

On Tue, Apr 04, 2023 at 07:31:47PM +0200, Simon Tournier wrote:
> Maybe I am doing something wrong, I get:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix refresh -l gnupg | cut -f1 -d':'
> Building the following 1491 packages would ensure 2880 dependent packages are rebuilt
> --8<---------------cut here---------------end--------------->8---
> 
> So the impact is ~10% of all the packages.  From a quick look, some
> packages are intensive to rebuild, to my knowledge.

Yes, that's correct. But our build farm can easily build these packages
quickly, if we wanted to use it for that.
Information forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Thu, 06 Apr 2023 08:45:01 GMT) Full text and rfc822 format available.

Message #26 received at 62294 <at> debbugs.gnu.org (full text, mbox):

From: Simon Tournier <zimon.toutoune <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: Ethan Blanton <elb <at> kb8ojh.net>, 62294 <at> debbugs.gnu.org
Subject: Re: bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed
 upstream
Date: Wed, 05 Apr 2023 08:49:06 +0200

Hi Leo,

On Tue, 04 Apr 2023 at 21:27, Leo Famulari <leo <at> famulari.name> wrote:

>> So the impact is ~10% of all the packages.  From a quick look, some
>> packages are intensive to rebuild, to my knowledge.
>
> Yes, that's correct. But our build farm can easily build these packages
> quickly, if we wanted to use it for that.

Well, I do not know.  Let’s do it! :-)

Are you proposing to update ’gnupg’ from 2.2.32 to 2.2.33 or why not to
2.2.41?  And remove the graft ’gnupg/fixed’?

Or are you proposing to replace the graft ’gnupg/fixed’ by another
version than 2.2.32 as 2.2.33 or higher?


Cheers,
simon
Information forwarded to bug-guix <at> gnu.org:
bug#62294; Package guix. (Thu, 06 Apr 2023 13:23:01 GMT) Full text and rfc822 format available.

Message #29 received at 62294 <at> debbugs.gnu.org (full text, mbox):

From: Ethan Blanton <elb <at> kb8ojh.net>
To: Simon Tournier <zimon.toutoune <at> gmail.com>
Cc: 62294 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed
 upstream
Date: Thu, 6 Apr 2023 09:22:17 -0400

Simon Tournier wrote:
> Are you proposing to update ’gnupg’ from 2.2.32 to 2.2.33 or why not to
> 2.2.41?  And remove the graft ’gnupg/fixed’?

Personally, I think it should advance farther than 2.2.32, as there
are S/MIME bugs prior to 2.2.35 that prevent a variety of
commonly-issued S/MIME keys from being imported (see the link in the
original bug).  Selfishly, I have one of those keys and it's a problem
for me, but in general, it seems to include some keys issued by state
agencies in Europe, as well as private issuers in the US and possibly
other locations.
Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Sun, 07 May 2023 15:04:02 GMT) Full text and rfc822 format available.
Notification sent to Ethan Blanton <elb <at> kb8ojh.net>:
bug acknowledged by developer. (Sun, 07 May 2023 15:04:02 GMT) Full text and rfc822 format available.

Message #34 received at 62294-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ethan Blanton <elb <at> kb8ojh.net>
Cc: Leo Famulari <leo <at> famulari.name>, 62294-done <at> debbugs.gnu.org,
 Simon Tournier <zimon.toutoune <at> gmail.com>
Subject: Re: bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed
 upstream
Date: Sun, 07 May 2023 11:03:40 -0400

Hello,

We're now at 2.2.39 on master.  Closing!

-- 
Thanks,
Maxim
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 05 Jun 2023 11:24:14 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 343 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.