Follow-up Comment #5, sr #109583 (project administration):
> But we can install and use gnupg2.
Yes. But if we do then we must manually track all security issues with gpg
ourselves for the duration that we are not using the OS security team for it.
That's often forgotten.
Right now when there is a security issue the community security teams usually
share information about the vulnerability and coordinate disclosure and
package upgrades. For most of us in the field the first notification we get
of a problem is that a new package is available to be installed from the
security repository. This is often installed even before the official
disclosure.
If we count on doing our own thing and manually tracking a package like gpg
then we would normally learn of problems late as part of the official
disclosure. And then are left to scramble to make an upgraded package very
quickly.
Having a plan for security upgrades for any non-distribution installed utility
is a concern. And gpg lies at the center where a security vulnerability is
like and would be most important.
Also this doesn't seem like something that we should be doing. There are few
if any stable releases with such a new gpg. That means there will be few
users who will be able to make use of it yet. This seems like a lot of work,
some moderate risk, for very little need. It is much simpler to clarify with
users that ED25519 cipher is not yet supported.
> It should be available in Trisquel 8.
I just checked and Trisquel 8 has gpg 1.4.20. It will need to be Trisquel 9
before it arrives.
> Do Savannah have plans to upgrade in the near future (say in 3 - 6 months)?
Not at this time. Although the need to do so is hanging heavy over us.
Something is going to need to happen soon. The biggest problem being the web
UI and the need to upgrade to PHP 7. The other systems can all upgrade
independently. However this feature being discussed here in this ticket is a
frontend feature.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/support/?109583>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
