On Thu 2025-01-09 07:55:36 +0100, Stephan Verbücheln wrote: > GnuPG 2.4 was released in 2022, long before the LibrePGP schism. It is > generally not clear to me how the divergence from upstream is a reason > to favor 2.2 over 2.4, except that patches have to be ported (once?).
sadly, 2.4 was released at a time when the LibrePGP schism was on the horizon, and it was clear that GnuPG was going to go ahead and publish whatever it wanted to do, rather than aligning with the rest of the OpenPGP ecosystem. This means it was producing "OpenPGP" artifacts that hadn't been confirmed as interoperable by other implementations, or even had a reasonable amount of cryptographic review (see the links in my previous mail in this thread). For example, OpenPGP certificates produced by earlier versions of 2.4 and imported into Thunderbird advertised non-standardized encryption mechanisms that Thunderbird didn't support, which led to unreadable mails for those users. That's why we delayed bringing 2.4 into debian, so that our users wouldn't get locked into non-standard or suboptimal cryptographic mechanisms. > I also do not understand what is wrong/lacking with the already patched > versions in Experimental and Ubuntu. > > https://packages.debian.org/experimental/gnupg I can't speak to the versions in Ubuntu, but the work in experimental helps us to understand exactly what we would be getting into if we were to switch, in terms of emitting non-standardized or non-interoperable formats. I agree that we should try to minimize risk there, and moving to some stabilized version of 2.4 might be a good thing, given upstream's increased attention to 2.4 compared to 2.2. If we can do that safely, we will, but there's review work to be done to make sure it really is sensible. One of the nice things about FreePG is that we can share the load of work toward safety and interoperability and robustness with other downstream users of GnuPG who have the same concerns. Regards, --dkg
signature.asc
Description: PGP signature
