On 2025-01-13 Simon Josefsson <si...@josefsson.org> wrote: > Jonathan McDowell <nood...@earth.li> writes: [...] > > I agree, but in this instance given the reliance we have upon GnuPG > > throughout the Debian ecosystem I believe it's important we ensure that > > the default configuration of what we ship is compatible with OpenPGP. > > Power users can feel free to play with OpenPGP v6 / LibrePGP > > enhancements, but for the vast majority of folk sticking to RFC > > compliant v4 is going to make the most sense.
> I understand this concern, but I believe there is a strong bias for > Debian developers to care about our own use-cases a lot which may not be > particulary relevant outside the scope of Debian-internal development. > I believe it would be perfectly fine to ship verbatim upstream unpatched > GnuPG 2.4 and work out any Debian-specific quirks and requirements we > have and put quirks into tools that are external to GnuPG itself. [...] Hello, I think the bit of information that is missing here is that Debian is *not* the odd man out for shipping patched versions of gnupg. Take a look at https://repology.org/project/gnupg/packages yourself. Everybody is trying to protect their users by trying to patch out librepgp-specific behavior by default. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
