GNU bug report logs -
#62294
gnupg is pinned at 2.2.32 for bug that is fixed upstream
Previous Next
Reported by: Ethan Blanton <elb <at> kb8ojh.net>
Date: Mon, 20 Mar 2023 13:02:01 UTC
Severity: normal
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62294 in the body.
You can then email your comments to 62294 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Mon, 20 Mar 2023 13:02:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ethan Blanton <elb <at> kb8ojh.net>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Mon, 20 Mar 2023 13:02:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
It looks like the gnupg package is pinned at 2.2.32 with the following
note:
;; Note2: 2.2.33 currently suffers from regressions, so do not update to it
;; (see: https://dev.gnupg.org/T5742).
However, the bug referenced here is fixed in upstream commit
4cc724639c012215f59648cbb4b7631b9d352e36, which shipped in gnupg
2.2.34. Meanwhile, all gnupg releases older than 2.2.35 suffer from
an S/MIME key-parsing bug (referenced in
https://www.mail-archive.com/gnupg-users <at> gnupg.org/msg40758.html).
I believe the pin on 2.2.32 can be lifted, but as gnupg is important
infrastructure I am unsure about directly submitting a patch to update
to a newer version.
Ethan
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Tue, 04 Apr 2023 11:52:03 GMT)
Full text and
rfc822 format available.
Message #8 received at 62294 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Mon, 20 Mar 2023 at 09:01, Ethan Blanton via Bug reports for GNU Guix <bug-guix <at> gnu.org> wrote:
> I believe the pin on 2.2.32 can be lifted, but as gnupg is important
> infrastructure I am unsure about directly submitting a patch to update
> to a newer version.
Well, graft does not seem recommended because it would update to two
versions. And update the package would be a core-updates.
Well, maybe it could be of the current core-updates dance. Could you
send a patch for core-updates?
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Tue, 04 Apr 2023 16:24:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 62294 <at> debbugs.gnu.org (full text, mbox):
On Tue, Apr 04, 2023 at 11:48:31AM +0200, Simon Tournier wrote:
> On Mon, 20 Mar 2023 at 09:01, Ethan Blanton via Bug reports for GNU Guix <bug-guix <at> gnu.org> wrote:
> > I believe the pin on 2.2.32 can be lifted, but as gnupg is important
> > infrastructure I am unsure about directly submitting a patch to update
> > to a newer version.
Thanks for letting us know!
> Well, graft does not seem recommended because it would update to two
> versions. And update the package would be a core-updates.
>
> Well, maybe it could be of the current core-updates dance. Could you
> send a patch for core-updates?
GnuPG does have a large number of dependent packages, but I'd argue
that's either 1) a bug or 2) something we should ignore and update
freely. It's a critical package, and did not used to have such a large
number of dependents. It's really a problem for the distro if we don't
allow ourselves to update packages like this freely.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Tue, 04 Apr 2023 16:34:01 GMT)
Full text and
rfc822 format available.
Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):
On Mon, Mar 20, 2023 at 09:01:33AM -0400, Ethan Blanton via Bug reports for GNU Guix wrote:
> However, the bug referenced here is fixed in upstream commit
> 4cc724639c012215f59648cbb4b7631b9d352e36, which shipped in gnupg
> 2.2.34. Meanwhile, all gnupg releases older than 2.2.35 suffer from
> an S/MIME key-parsing bug (referenced in
> https://www.mail-archive.com/gnupg-users <at> gnupg.org/msg40758.html).
Does this bug have a CVE ID, or any information from upstream about
where it was fixed? It's hard to find release notes on the GnuPG
website.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Tue, 04 Apr 2023 16:34:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Tue, 04 Apr 2023 17:33:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 62294 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
On Tue, 04 Apr 2023 at 12:23, Leo Famulari <leo <at> famulari.name> wrote:
>> Well, graft does not seem recommended because it would update to two
>> versions. And update the package would be a core-updates.
>>
>> Well, maybe it could be of the current core-updates dance. Could you
>> send a patch for core-updates?
>
> GnuPG does have a large number of dependent packages, but I'd argue
> that's either 1) a bug or 2) something we should ignore and update
> freely. It's a critical package, and did not used to have such a large
> number of dependents. It's really a problem for the distro if we don't
> allow ourselves to update packages like this freely.
Maybe I am doing something wrong, I get:
--8<---------------cut here---------------start------------->8---
$ guix refresh -l gnupg | cut -f1 -d':'
Building the following 1491 packages would ensure 2880 dependent packages are rebuilt
--8<---------------cut here---------------end--------------->8---
So the impact is ~10% of all the packages. From a quick look, some
packages are intensive to rebuild, to my knowledge.
Are you proposing to graft?
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Wed, 05 Apr 2023 01:28:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 62294 <at> debbugs.gnu.org (full text, mbox):
On Tue, Apr 04, 2023 at 07:31:47PM +0200, Simon Tournier wrote:
> Maybe I am doing something wrong, I get:
>
> --8<---------------cut here---------------start------------->8---
> $ guix refresh -l gnupg | cut -f1 -d':'
> Building the following 1491 packages would ensure 2880 dependent packages are rebuilt
> --8<---------------cut here---------------end--------------->8---
>
> So the impact is ~10% of all the packages. From a quick look, some
> packages are intensive to rebuild, to my knowledge.
Yes, that's correct. But our build farm can easily build these packages
quickly, if we wanted to use it for that.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Thu, 06 Apr 2023 08:45:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 62294 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
On Tue, 04 Apr 2023 at 21:27, Leo Famulari <leo <at> famulari.name> wrote:
>> So the impact is ~10% of all the packages. From a quick look, some
>> packages are intensive to rebuild, to my knowledge.
>
> Yes, that's correct. But our build farm can easily build these packages
> quickly, if we wanted to use it for that.
Well, I do not know. Let’s do it! :-)
Are you proposing to update ’gnupg’ from 2.2.32 to 2.2.33 or why not to
2.2.41? And remove the graft ’gnupg/fixed’?
Or are you proposing to replace the graft ’gnupg/fixed’ by another
version than 2.2.32 as 2.2.33 or higher?
Cheers,
simon
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62294
; Package
guix
.
(Thu, 06 Apr 2023 13:23:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 62294 <at> debbugs.gnu.org (full text, mbox):
Simon Tournier wrote:
> Are you proposing to update ’gnupg’ from 2.2.32 to 2.2.33 or why not to
> 2.2.41? And remove the graft ’gnupg/fixed’?
Personally, I think it should advance farther than 2.2.32, as there
are S/MIME bugs prior to 2.2.35 that prevent a variety of
commonly-issued S/MIME keys from being imported (see the link in the
original bug). Selfishly, I have one of those keys and it's a problem
for me, but in general, it seems to include some keys issued by state
agencies in Europe, as well as private issuers in the US and possibly
other locations.
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
You have taken responsibility.
(Sun, 07 May 2023 15:04:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ethan Blanton <elb <at> kb8ojh.net>
:
bug acknowledged by developer.
(Sun, 07 May 2023 15:04:02 GMT)
Full text and
rfc822 format available.
Message #34 received at 62294-done <at> debbugs.gnu.org (full text, mbox):
Hello,
We're now at 2.2.39 on master. Closing!
--
Thanks,
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Mon, 05 Jun 2023 11:24:14 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 343 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.