Your message dated Fri, 14 Mar 2025 09:55:23 -0400
with message-id <87r02zvhro....@fifthhorseman.net>
and subject line Re: Bug#1100074: gpg: gpg changes representation of 
certifications from expired certs, breaks test suite for GnuPG::Interface
has caused the Debian Bug report #1100074,
regarding gpg: gpg changes representation of certifications from expired certs, 
breaks test suite for GnuPG::Interface
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1100074: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100074
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gpg
Version: 2.2.46-4
Severity: serious
Control: notfound -1 2.2.46-3
Control: affects -1 + libgnupg-interface-perl
Control: forwarded -1 https://dev.gnupg.org/T7547#198934

The fix for #1099141 introduced a new regression in the behavior of
GnuPG when evaluating certifications from expired OpenPGP certificates.

I've reported the problem upstream on T7547, where the attempts to
mitigate the side effects of fixing the verification DoS:

   https://dev.gnupg.org/T7547#198934

GnuPG should probaby not migrate into testing until this part is also
resolved.

        --dkg

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 
'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12-amd64 (SMP w/20 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg depends on:
ii  gpgconf          2.2.46-4
ii  libassuan9       3.0.2-2
ii  libbz2-1.0       1.0.8-6
ii  libc6            2.40-7
ii  libgcrypt20      1.11.0-7
ii  libgpg-error0    1.51-3
ii  libreadline8t64  8.2-6
ii  libsqlite3-0     3.46.1-1
ii  zlib1g           1:1.3.dfsg+really1.3.1-1+b1

Versions of packages gpg recommends:
ii  gnupg  2.2.46-4

gpg suggests no packages.

-- no debconf information

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
Version: 2.2.46-5

On in https://bugs.debian.org/1100074 , Daniel Kahn Gillmor wrote:
> I've reported the problem upstream on T7547, where the attempts to
> mitigate the side effects of fixing the verification DoS:
>
>    https://dev.gnupg.org/T7547#198934
>
> GnuPG should probaby not migrate into testing until this part is also
> resolved.

After additional testing and discussion with upstream, these fixes
appear to be overall a net improvement in GnuPG, and the test suites are
more brittle than they should be.  For example, these changes actually
take away one source of indeterminacy in GnuPG: it would give different
assessments of certain certificates depending on which certificate it
encountered first.

Instead of forcing GnuPG to conform to its previous indeterminate
behavior, it's better to keep the improvements and make the test suites
of the surrounding infrastructure less brittle.  I've done that with
libgnupg-interface-perl 1.04-5.  (and thanks to gregor for his cleanup
of my mess in 1.04-6 as well).

I consider this to be one of the consequences of GnuPG's poorly
specified, shifting, and inadequately tested "API", but that's the state
of play in the ecosystem around GnuPG at this point.

2.2.46-5 didn't technically fix the problem (it just avoided a
double-free that has existed in GnuPG for years), but the updated test
suites with this fix in place were sufficient to assess that it's better
to make the surrounding test suites less brittle than to try to convince
GnuPG to revert to the older, more broken semantics.

At any rate, i'm marking #1100074 as done for now.

   --dkg

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to