Version: 2.2.46-5 On in https://bugs.debian.org/1100074 , Daniel Kahn Gillmor wrote: > I've reported the problem upstream on T7547, where the attempts to > mitigate the side effects of fixing the verification DoS: > > https://dev.gnupg.org/T7547#198934 > > GnuPG should probaby not migrate into testing until this part is also > resolved.
After additional testing and discussion with upstream, these fixes appear to be overall a net improvement in GnuPG, and the test suites are more brittle than they should be. For example, these changes actually take away one source of indeterminacy in GnuPG: it would give different assessments of certain certificates depending on which certificate it encountered first. Instead of forcing GnuPG to conform to its previous indeterminate behavior, it's better to keep the improvements and make the test suites of the surrounding infrastructure less brittle. I've done that with libgnupg-interface-perl 1.04-5. (and thanks to gregor for his cleanup of my mess in 1.04-6 as well). I consider this to be one of the consequences of GnuPG's poorly specified, shifting, and inadequately tested "API", but that's the state of play in the ecosystem around GnuPG at this point. 2.2.46-5 didn't technically fix the problem (it just avoided a double-free that has existed in GnuPG for years), but the updated test suites with this fix in place were sufficient to assess that it's better to make the surrounding test suites less brittle than to try to convince GnuPG to revert to the older, more broken semantics. At any rate, i'm marking #1100074 as done for now. --dkg
signature.asc
Description: PGP signature
