On Mon, Jan 13, 2025 at 02:04:00PM +0100, Simon Josefsson wrote: > Jonathan McDowell <nood...@earth.li> writes: > > On Mon, Jan 13, 2025 at 11:08:11AM +0100, Simon Josefsson wrote: > >> Daniel Kahn Gillmor <d...@debian.org> writes: > >> > I welcome review and critique of the packaging for this tricky package, > >> > which is pretty deeply embedded in Debian (though getting less so, as > >> > apt no longer requires it and we have many other OpenPGP implementations > >> > available today). I'd be even more delighted with offers of active > >> > co-maintenance beyond the work that Andreas and i have been doing. > >> > >> I've offered help, but my impression has been that it not giving up on > >> the schism thing has been more important than getting Debian to ship > >> upstream code to users and let people decide what they want to use. > >> > >> Sometimes it is better to let other make decisions rather than to make > >> decisions for others. > > > > I agree, but in this instance given the reliance we have upon GnuPG > > throughout the Debian ecosystem I believe it's important we ensure that > > the default configuration of what we ship is compatible with OpenPGP. > > Power users can feel free to play with OpenPGP v6 / LibrePGP > > enhancements, but for the vast majority of folk sticking to RFC > > compliant v4 is going to make the most sense. > > I understand this concern, but I believe there is a strong bias for > Debian developers to care about our own use-cases a lot which may not be > particulary relevant outside the scope of Debian-internal development. > > I believe it would be perfectly fine to ship verbatim upstream unpatched > GnuPG 2.4 and work out any Debian-specific quirks and requirements we > have and put quirks into tools that are external to GnuPG itself.
I don't agree. For trixie I would like us to ship a GnuPG which _by default_ does not emit LibrePGP packets. I'm fully in favour of that ability being available to folk who chose to explicitly enable it, but I don't think it's a responsible default for us to ship. It's a simple fact that the OpenPGP ecosystem, including GnuPG, is complicated for folk who are not devoting significant time to understanding it all. We've seen that previously in terms of having to write documentation about how to generate keys with secure settings, or explain why we've made certain decisions that deviate from what an out-of-the box config would give. We're not an outlier in patching GnuPG to provide OpenPGP v4 defaults. (This email written wearing no hats, but definitely informed by the fact I'm part of keyring-maint.) J. -- "I'm a paranoid agnostic. I doubt the existence of God, but I'm sure there is some force, somewhere, working against me." -- Marc Maron
signature.asc
Description: PGP signature
