On Wed, Dec 18, 2024 at 12:02:18AM +0100, Julian Andres Klode wrote: > On Tue, Dec 03, 2024 at 04:34:52PM +0100, Julian Andres Klode wrote: > > On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote: > > > I've just finished more or less, adjusting the APT test suite > > > to test gpgv-sq. I plan to upload APT that tests gpgv-sq > > > tomorrow. This ensures full compatibility between apt and > > > gpgv-sq going forward. > > > > > > After that migrates to testing next week, I want to make > > > the switch: APT by default should use gpgv-sq. Previous > > > discussions with the security team did not reveal any > > > blockers for that, despite the strenuous nature of > > > security updates for Rust packages. > > > > This has been delayed. There's ongoing investigation into > > sqv and sqopv, which are smaller verifiers from Sequoia, > > measuring only 2MB and without an SQLite dependency, hence > > saving about 6MB. > > An sqv backend is now available in apt-team/apt!409 and in > experimental in apt 2.9.17+exp1. > > Note that the experimental upload only supports architectures > with sqv available. There is no fallback yet. > > The plan is to detect if sqv is available at build time, by > build-depending on sqv for the correct set of architectures, > and then generate a `Depends: sqv` for those architectures, > and `Depends: gpgv` for other (ports) architectures. > > The sqv binary is about 2MB large when optimized for size, > and provides good feedback when a key cannot be verified.
The Sequoia sqv backend is now the default backend in unstable for architectures that have it (all release architectures, most ports). 2.9.19 also replaces internal GnuTLS and gcrypt use with OpenSSL, and all use of GnuPG in the test suite with Sequoia's `sq` command. There is a backwards-incompatible change: Signed-By can no longer contain an exact subkey match (suffix "!"). That information is - rightly so - not available in the sqv output. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
