On 05/03/15 11:33, Paulo Lopes wrote: > as of today (March 5, 2015) ubuntu 14.04 LTS is still offering gnupg > 1.4.16 even though there have been security issues fixed in 1.4.17, > 1.4.18 and 1.4.19. In a way a uninformed user that is under the > impression that gnupg is secure due to the fact that the distro > he/she uses does not update the packages in time is using vulnerable > software while the project has already issued security fixes long > time ago...
I think you'll find that many distributions in fact backport security fixes. Especially if they amount to more than a DoS. Debian, for instance, has a policy to try and avoid new versions of software in their stable version, favouring backporting fixes. Why do you think an "official" (wouldn't be my words) package maintained by an official GnuPG upstream, for instance, would be better than what dkg does for Debian, for instance? Which distribution's packaging are you dissatisfied with particularly, and shouldn't you take this up with the maintainers of the package rather than asking here for a different package for your distro? I think sticking with your distribution's repository offers many advantages: it works out of the box, you get security updates without having to enter an additional repository in your package management, and it leaves time for upstream GnuPG to focus on their software, leaving packaging, and for instance packaging policy changes in a distribution, to other people. Plus, a fair number of distributions use GnuPG to authenticate the software in their repository. It's part of the very core of the distribution. It needs to be in the main repository, it needs to receive security fixes. If you feel the packaging of GnuPG is lacking in your distribution, you should definitely take that up with the maintainers there. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
