Le mercredi, 12 août 2015, 02.39:23 Cyril Brulebois a écrit : > And thanks for getting in touch with us.
Indeed. > Daniel Kahn Gillmor <d...@fifthhorseman.net> (2015-08-11): > > i believe the installer relies on gpgv for archive manifest > > signature verification. we have gpgv-udeb for that purpose, i > > think. > > That's the idea, yeah. Grepping through all of our packages → see the > results below my signature; that's basically base-installer and > net-retriever which depend on gpgv-udeb. > > For the record, last time we've seen changes in gpgv, that was in: > https://lists.debian.org/debian-boot/2014/01/msg00129.html > > which eventually led to: #753985. Skimming through it again, it seems > win32-loader was somewhat affected as well. Adding Didier in the loop > explicitly just to be on the safe side. Exactly. win32-loader embeds gpgv.exe, shipped in gpgv-win32, under /usr/share/win32/gpgv.exe; this embedding happens at (arch:all) build- time, and only concerns the win32-loader.exe that is shipped on the Debian mirrors: http://httpredir.debian.org/debian/tools/win32-loader/unstable/win32-loader.exe . We discussed in #778877 the addition of an autopkgtest be added in gpg so that we could make sure gpgv.exe is kept in a working state. This doesn't seem to have made its way to the archive though. Anyway, I'm digressing. From the win32-loader point of view, all it needs is a gpgv.exe that can check Release.gpg files, when run under Windows (wine being a good test though). If that gpgv.exe is GnuPG 1 or 2 doesn't matter. :) Cheers, OdyX
signature.asc
Description: This is a digitally signed message part.
