Re: GnuPG 2.4 before Trixie freeze

Fri, 10 Jan 2025 00:23:00 -0800 

On Thu, 09 Jan 2025 18:29:02 -0500
Daniel Kahn Gillmor <d...@debian.org> wrote:
> On Thu 2025-01-09 07:55:36 +0100, Stephan Verbücheln wrote:
> > GnuPG 2.4 was released in 2022, long before the LibrePGP schism. It
> > is generally not clear to me how the divergence from upstream is a
> > reason to favor 2.2 over 2.4, except that patches have to be ported
> > (once?).  
> 
> sadly, 2.4 was released at a time when the LibrePGP schism was on the
> horizon,

I reconstructed the following timeline:

Debian bullseye hard freeze[1]:             2021-03-12
According to Upstream[2], GnuPG 2.4 birth:  2021-04-07 (maybe as devel)
Debian bullseye full freeze[1]:             2021-07-17
First package (2.4.0) in experimental[3]:   2022-12-25
Debian bookworm hard freeze[4]:             2023-03-12
Debian bookworm full freeze[4]:             2023-05-24
Ubuntu 24.04 LTS (Noble Numbat) release[5]: 2024-04
RNP LibrePGP support[6]:                    2024-07-22
OpenPGP RFC 9580 release[7]:                2024-07-31

> For example, OpenPGP certificates produced by earlier versions of 2.4
> and imported into Thunderbird advertised non-standardized encryption
> mechanisms that Thunderbird didn't support, which led to unreadable
> mails for those users.

Is this still a problem with GnuPG 2.4.7? Can this be adjusted by
changing default configuration in the Debian package? Does it need
a code patch?

Thunderbird  seems to use the RNP[8] crypto library which supports
a cooperative workflow with GnuPG via LibrePGP.  Are there patches
to remove this behaviour in Debian?

> That's why we delayed bringing 2.4 into debian, so that our users
> wouldn't get locked into non-standard or suboptimal cryptographic
> mechanisms.

Still having GnuPG 2.2 in Debian is similarly suboptimal. At
the moment users are locked into using a software version tree
which started 2014-11-06 which is more than a decade ago.


 [1] https://release.debian.org/bullseye/freeze_policy.html
 [2] https://gnupg.org/download/index.html
 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022702
 [4] https://release.debian.org/bookworm/freeze_policy.html
 [5] https://ubuntu.com/about/release-cycle
 [6] https://www.rnpgp.org/blog/2024-07-22-rnp-and-librepgp/
 [7] https://datatracker.ietf.org/doc/rfc9580/
 [8] https://www.rnpgp.org/


-- 
kind regards
Frank

Attachment: pgpfd5fIRMT3R.pgp
Description: OpenPGP digital signature

Reply via email to