On 2025-03-12 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On Wed 2025-03-12 18:13:49 +0100, Andreas Metzler wrote: [...] >> php-crypt-gpg 1.6.9-3 can be built against gnupg 2.2.46-1 but fails >> against gnupg 2.2.46-3 and later. And vice versa the patched testsuite >> of php-crypt-gpg 1.6.9-4 only works with gnupg 2.2.46-3 (or similarily >> patched versions of 2.4).
> yes, i think that's correct. If you'd prefer, i can offer a patch to > php-crypt-gpg's test suite that accepts whether there's a trailing > newline or not. That kind of flexible patch could be upstreamable, and > would work with a patched or non-patched GnuPG. Hello Daniel, having this properly fixed upstream would be great or even a must. (I suspect sequoia chameleon would trigger the same or a similar error as gnupg-patched does.) I also think it is important to not start precedent in having Debian packages patched to work with (only) "our gnupg". >> So this cannot be applied upstream. Afaiui this is nowadays niche, >> non-recommended usage of gnupg so I wonder whether the cost/benefit >> ratio for applying this patch to our gnupg packages (or including it >> in FreePG) is good enough. > if we want GnuPG to interoperate with standard-following OpenPGP tools, > then we need GnuPG to sign the material that is actually passed in, and > emit the material that is actually signed. While i agree that the CSF > is deprecated, it is still widely used (e.g. debian's InRelease uses > it), and any interoperability test that tries to round-trip data through > two different implementations will flag this as a problem. > I see the goal of my debian GnuPG work as being that we should provide a > tool to debian users that will interoperate with any OpenPGP > implementation as best as we can. [...] I suspect keeping/putting gnupg in-line with OpenPGP is not going to simple, we (well, you ;-) ) will need to choose our battles, concentrating on the most important use-cases or the ones with hard breakage. Also imho every deviation from upstream gnupg behavior has a cost of its own, especially possibly breaking compatibility with unpatched gnupg. That is where my talk about "cost/benefit ratio" came from. I am just not sure whether the patch is worth the pain. I hope that helps you in making a good decision. (*Either* way, keeping or removing the patch.) thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
