gnupg is pinned at 2.2.32 for bug that is fixed upstream

Done

Details

4 participants

Ethan Blanton
Leo Famulari
Maxim Cournoyer
Simon Tournier

Owner: unassigned

Submitted by: Ethan Blanton

Severity: normal

Ethan Blanton wrote on 20 Mar 2023 14:01

Recipients:(address . bug-guix@gnu.org)

Message-ID:ZBhZLZwNF5DVW1K1@colt.lan

It looks like the gnupg package is pinned at 2.2.32 with the following

note:

;; Note2: 2.2.33 currently suffers from regressions, so do not update to it

;; (see: https://dev.gnupg.org/T5742).

However, the bug referenced here is fixed in upstream commit

4cc724639c012215f59648cbb4b7631b9d352e36, which shipped in gnupg

2.2.34. Meanwhile, all gnupg releases older than 2.2.35 suffer from

an S/MIME key-parsing bug (referenced in

https://www.mail-archive.com/gnupg-users@gnupg.org/msg40758.html).

I believe the pin on 2.2.32 can be lifted, but as gnupg is important

infrastructure I am unsure about directly submitting a patch to update

to a newer version.

Ethan

Simon Tournier wrote on 4 Apr 2023 11:48

Recipients:

Message-ID:868rf8vuz4.fsf@gmail.com

Hi,

On Mon, 20 Mar 2023 at 09:01, Ethan Blanton via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

Toggle quote (4 lines)

> I believe the pin on 2.2.32 can be lifted, but as gnupg is important

> infrastructure I am unsure about directly submitting a patch to update

> to a newer version.

Well, graft does not seem recommended because it would update to two

versions. And update the package would be a core-updates.

Well, maybe it could be of the current core-updates dance. Could you

send a patch for core-updates?

Cheers,

simon

Leo Famulari wrote on 4 Apr 2023 18:23

Recipients:(name . Simon Tournier)(address . zimon.toutoune@gmail.com)

Message-ID:ZCxPC6sPREuu1ipV@jasmine.lan

On Tue, Apr 04, 2023 at 11:48:31AM +0200, Simon Tournier wrote:

Toggle quote (5 lines)

> On Mon, 20 Mar 2023 at 09:01, Ethan Blanton via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:

> > I believe the pin on 2.2.32 can be lifted, but as gnupg is important

> > infrastructure I am unsure about directly submitting a patch to update

> > to a newer version.

Thanks for letting us know!

Toggle quote (6 lines)

> Well, graft does not seem recommended because it would update to two

> versions. And update the package would be a core-updates.

> Well, maybe it could be of the current core-updates dance. Could you

> send a patch for core-updates?

GnuPG does have a large number of dependent packages, but I'd argue
that's either 1) a bug or 2) something we should ignore and update
freely. It's a critical package, and did not used to have such a large
number of dependents. It's really a problem for the distro if we don't
allow ourselves to update packages like this freely.

Leo Famulari wrote on 4 Apr 2023 18:33

Recipients:(name . Ethan Blanton via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 62294@debbugs.gnu.org)

Message-ID:ZCxRYAQwvctrSofb@jasmine.lan

On Mon, Mar 20, 2023 at 09:01:33AM -0400, Ethan Blanton via Bug reports for GNU Guix wrote:

Toggle quote (6 lines)

> However, the bug referenced here is fixed in upstream commit

> 4cc724639c012215f59648cbb4b7631b9d352e36, which shipped in gnupg

> 2.2.34. Meanwhile, all gnupg releases older than 2.2.35 suffer from

> an S/MIME key-parsing bug (referenced in

> https://www.mail-archive.com/gnupg-users@gnupg.org/msg40758.html).

Does this bug have a CVE ID, or any information from upstream about
where it was fixed? It's hard to find release notes on the GnuPG
website.

Simon Tournier wrote on 4 Apr 2023 19:31

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:867curtuyk.fsf@gmail.com

Hi Leo,

On Tue, 04 Apr 2023 at 12:23, Leo Famulari <leo@famulari.name> wrote:

Toggle quote (12 lines)>> Well, graft does not seem recommended because it would update to two
>> versions.  And update the package would be a core-updates.
>> 
>> Well, maybe it could be of the current core-updates dance.  Could you
>> send a patch for core-updates?
>
> GnuPG does have a large number of dependent packages, but I'd argue
> that's either 1) a bug or 2) something we should ignore and update
> freely. It's a critical package, and did not used to have such a large
> number of dependents. It's really a problem for the distro if we don't
> allow ourselves to update packages like this freely.

Maybe I am doing something wrong, I get:

Toggle snippet (4 lines)

$ guix refresh -l gnupg | cut -f1 -d':'

Building the following 1491 packages would ensure 2880 dependent packages are rebuilt

So the impact is ~10% of all the packages. From a quick look, some

packages are intensive to rebuild, to my knowledge.

Are you proposing to graft?

Cheers,

simon

Leo Famulari wrote on 5 Apr 2023 03:27

Recipients:(name . Simon Tournier)(address . zimon.toutoune@gmail.com)

Message-ID:ZCzOdruevhvh+7fw@jasmine.lan

On Tue, Apr 04, 2023 at 07:31:47PM +0200, Simon Tournier wrote:

Toggle quote (10 lines)> Maybe I am doing something wrong, I get:
> 
> --8<---------------cut here---------------start------------->8---
> $ guix refresh -l gnupg | cut -f1 -d':'
> Building the following 1491 packages would ensure 2880 dependent packages are rebuilt
> --8<---------------cut here---------------end--------------->8---
> 
> So the impact is ~10% of all the packages.  From a quick look, some
> packages are intensive to rebuild, to my knowledge.

Yes, that's correct. But our build farm can easily build these packages

quickly, if we wanted to use it for that.

Simon Tournier wrote on 5 Apr 2023 08:49

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:861qkyu8m5.fsf@gmail.com

Hi Leo,

On Tue, 04 Apr 2023 at 21:27, Leo Famulari <leo@famulari.name> wrote:

Toggle quote (6 lines)

>> So the impact is ~10% of all the packages. From a quick look, some

>> packages are intensive to rebuild, to my knowledge.

> Yes, that's correct. But our build farm can easily build these packages

> quickly, if we wanted to use it for that.

Well, I do not know. Let’s do it! :-)

Are you proposing to update ’gnupg’ from 2.2.32 to 2.2.33 or why not to

2.2.41? And remove the graft ’gnupg/fixed’?

Or are you proposing to replace the graft ’gnupg/fixed’ by another

version than 2.2.32 as 2.2.33 or higher?

Cheers,

simon

Ethan Blanton wrote on 6 Apr 2023 15:22

Recipients:(name . Simon Tournier)(address . zimon.toutoune@gmail.com)

Message-ID:ZC7HiWzqXv2EJlIf@colt.lan

Simon Tournier wrote:

Toggle quote (3 lines)

> Are you proposing to update ’gnupg’ from 2.2.32 to 2.2.33 or why not to

> 2.2.41? And remove the graft ’gnupg/fixed’?

Personally, I think it should advance farther than 2.2.32, as there
are S/MIME bugs prior to 2.2.35 that prevent a variety of
commonly-issued S/MIME keys from being imported (see the link in the
original bug).  Selfishly, I have one of those keys and it's a problem
for me, but in general, it seems to include some keys issued by state
agencies in Europe, as well as private issuers in the US and possibly
other locations.

Maxim Cournoyer wrote on 7 May 2023 17:03

Recipients:(name . Ethan Blanton)(address . elb@kb8ojh.net)

Message-ID:87bkiw18vn.fsf@gmail.com

Hello,

We're now at 2.2.39 on master. Closing!

Thanks,

Maxim

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 62294@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date