* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
@ 2023-03-20 13:01 Ethan Blanton via Bug reports for GNU Guix
2023-04-04 9:48 ` Simon Tournier
2023-04-04 16:33 ` Leo Famulari
0 siblings, 2 replies; 9+ messages in thread
From: Ethan Blanton via Bug reports for GNU Guix @ 2023-03-20 13:01 UTC (permalink / raw)
To: 62294
It looks like the gnupg package is pinned at 2.2.32 with the following
note:
;; Note2: 2.2.33 currently suffers from regressions, so do not update to it
;; (see: https://dev.gnupg.org/T5742).
However, the bug referenced here is fixed in upstream commit
4cc724639c012215f59648cbb4b7631b9d352e36, which shipped in gnupg
2.2.34. Meanwhile, all gnupg releases older than 2.2.35 suffer from
an S/MIME key-parsing bug (referenced in
https://www.mail-archive.com/gnupg-users@gnupg.org/msg40758.html).
I believe the pin on 2.2.32 can be lifted, but as gnupg is important
infrastructure I am unsure about directly submitting a patch to update
to a newer version.
Ethan
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
2023-03-20 13:01 bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream Ethan Blanton via Bug reports for GNU Guix
@ 2023-04-04 9:48 ` Simon Tournier
2023-04-04 16:23 ` Leo Famulari
2023-04-04 16:33 ` Leo Famulari
1 sibling, 1 reply; 9+ messages in thread
From: Simon Tournier @ 2023-04-04 9:48 UTC (permalink / raw)
To: Ethan Blanton, 62294
Hi,
On Mon, 20 Mar 2023 at 09:01, Ethan Blanton via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:
> I believe the pin on 2.2.32 can be lifted, but as gnupg is important
> infrastructure I am unsure about directly submitting a patch to update
> to a newer version.
Well, graft does not seem recommended because it would update to two
versions. And update the package would be a core-updates.
Well, maybe it could be of the current core-updates dance. Could you
send a patch for core-updates?
Cheers,
simon
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
2023-04-04 9:48 ` Simon Tournier
@ 2023-04-04 16:23 ` Leo Famulari
2023-04-04 17:31 ` Simon Tournier
0 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2023-04-04 16:23 UTC (permalink / raw)
To: Simon Tournier; +Cc: Ethan Blanton, 62294
On Tue, Apr 04, 2023 at 11:48:31AM +0200, Simon Tournier wrote:
> On Mon, 20 Mar 2023 at 09:01, Ethan Blanton via Bug reports for GNU Guix <bug-guix@gnu.org> wrote:
> > I believe the pin on 2.2.32 can be lifted, but as gnupg is important
> > infrastructure I am unsure about directly submitting a patch to update
> > to a newer version.
Thanks for letting us know!
> Well, graft does not seem recommended because it would update to two
> versions. And update the package would be a core-updates.
>
> Well, maybe it could be of the current core-updates dance. Could you
> send a patch for core-updates?
GnuPG does have a large number of dependent packages, but I'd argue
that's either 1) a bug or 2) something we should ignore and update
freely. It's a critical package, and did not used to have such a large
number of dependents. It's really a problem for the distro if we don't
allow ourselves to update packages like this freely.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
2023-03-20 13:01 bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream Ethan Blanton via Bug reports for GNU Guix
2023-04-04 9:48 ` Simon Tournier
@ 2023-04-04 16:33 ` Leo Famulari
1 sibling, 0 replies; 9+ messages in thread
From: Leo Famulari @ 2023-04-04 16:33 UTC (permalink / raw)
To: 62294
On Mon, Mar 20, 2023 at 09:01:33AM -0400, Ethan Blanton via Bug reports for GNU Guix wrote:
> However, the bug referenced here is fixed in upstream commit
> 4cc724639c012215f59648cbb4b7631b9d352e36, which shipped in gnupg
> 2.2.34. Meanwhile, all gnupg releases older than 2.2.35 suffer from
> an S/MIME key-parsing bug (referenced in
> https://www.mail-archive.com/gnupg-users@gnupg.org/msg40758.html).
Does this bug have a CVE ID, or any information from upstream about
where it was fixed? It's hard to find release notes on the GnuPG
website.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
2023-04-04 16:23 ` Leo Famulari
@ 2023-04-04 17:31 ` Simon Tournier
2023-04-05 1:27 ` Leo Famulari
0 siblings, 1 reply; 9+ messages in thread
From: Simon Tournier @ 2023-04-04 17:31 UTC (permalink / raw)
To: Leo Famulari; +Cc: Ethan Blanton, 62294
Hi Leo,
On Tue, 04 Apr 2023 at 12:23, Leo Famulari <leo@famulari.name> wrote:
>> Well, graft does not seem recommended because it would update to two
>> versions. And update the package would be a core-updates.
>>
>> Well, maybe it could be of the current core-updates dance. Could you
>> send a patch for core-updates?
>
> GnuPG does have a large number of dependent packages, but I'd argue
> that's either 1) a bug or 2) something we should ignore and update
> freely. It's a critical package, and did not used to have such a large
> number of dependents. It's really a problem for the distro if we don't
> allow ourselves to update packages like this freely.
Maybe I am doing something wrong, I get:
--8<---------------cut here---------------start------------->8---
$ guix refresh -l gnupg | cut -f1 -d':'
Building the following 1491 packages would ensure 2880 dependent packages are rebuilt
--8<---------------cut here---------------end--------------->8---
So the impact is ~10% of all the packages. From a quick look, some
packages are intensive to rebuild, to my knowledge.
Are you proposing to graft?
Cheers,
simon
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
2023-04-04 17:31 ` Simon Tournier
@ 2023-04-05 1:27 ` Leo Famulari
2023-04-05 6:49 ` Simon Tournier
0 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2023-04-05 1:27 UTC (permalink / raw)
To: Simon Tournier; +Cc: Ethan Blanton, 62294
On Tue, Apr 04, 2023 at 07:31:47PM +0200, Simon Tournier wrote:
> Maybe I am doing something wrong, I get:
>
> --8<---------------cut here---------------start------------->8---
> $ guix refresh -l gnupg | cut -f1 -d':'
> Building the following 1491 packages would ensure 2880 dependent packages are rebuilt
> --8<---------------cut here---------------end--------------->8---
>
> So the impact is ~10% of all the packages. From a quick look, some
> packages are intensive to rebuild, to my knowledge.
Yes, that's correct. But our build farm can easily build these packages
quickly, if we wanted to use it for that.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
2023-04-05 1:27 ` Leo Famulari
@ 2023-04-05 6:49 ` Simon Tournier
2023-04-06 13:22 ` Ethan Blanton via Bug reports for GNU Guix
0 siblings, 1 reply; 9+ messages in thread
From: Simon Tournier @ 2023-04-05 6:49 UTC (permalink / raw)
To: Leo Famulari; +Cc: Ethan Blanton, 62294
Hi Leo,
On Tue, 04 Apr 2023 at 21:27, Leo Famulari <leo@famulari.name> wrote:
>> So the impact is ~10% of all the packages. From a quick look, some
>> packages are intensive to rebuild, to my knowledge.
>
> Yes, that's correct. But our build farm can easily build these packages
> quickly, if we wanted to use it for that.
Well, I do not know. Let’s do it! :-)
Are you proposing to update ’gnupg’ from 2.2.32 to 2.2.33 or why not to
2.2.41? And remove the graft ’gnupg/fixed’?
Or are you proposing to replace the graft ’gnupg/fixed’ by another
version than 2.2.32 as 2.2.33 or higher?
Cheers,
simon
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
2023-04-05 6:49 ` Simon Tournier
@ 2023-04-06 13:22 ` Ethan Blanton via Bug reports for GNU Guix
2023-05-07 15:03 ` Maxim Cournoyer
0 siblings, 1 reply; 9+ messages in thread
From: Ethan Blanton via Bug reports for GNU Guix @ 2023-04-06 13:22 UTC (permalink / raw)
To: Simon Tournier; +Cc: 62294, Leo Famulari
Simon Tournier wrote:
> Are you proposing to update ’gnupg’ from 2.2.32 to 2.2.33 or why not to
> 2.2.41? And remove the graft ’gnupg/fixed’?
Personally, I think it should advance farther than 2.2.32, as there
are S/MIME bugs prior to 2.2.35 that prevent a variety of
commonly-issued S/MIME keys from being imported (see the link in the
original bug). Selfishly, I have one of those keys and it's a problem
for me, but in general, it seems to include some keys issued by state
agencies in Europe, as well as private issuers in the US and possibly
other locations.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream
2023-04-06 13:22 ` Ethan Blanton via Bug reports for GNU Guix
@ 2023-05-07 15:03 ` Maxim Cournoyer
0 siblings, 0 replies; 9+ messages in thread
From: Maxim Cournoyer @ 2023-05-07 15:03 UTC (permalink / raw)
To: Ethan Blanton; +Cc: Leo Famulari, 62294-done, Simon Tournier
Hello,
We're now at 2.2.39 on master. Closing!
--
Thanks,
Maxim
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-05-07 15:04 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-20 13:01 bug#62294: gnupg is pinned at 2.2.32 for bug that is fixed upstream Ethan Blanton via Bug reports for GNU Guix
2023-04-04 9:48 ` Simon Tournier
2023-04-04 16:23 ` Leo Famulari
2023-04-04 17:31 ` Simon Tournier
2023-04-05 1:27 ` Leo Famulari
2023-04-05 6:49 ` Simon Tournier
2023-04-06 13:22 ` Ethan Blanton via Bug reports for GNU Guix
2023-05-07 15:03 ` Maxim Cournoyer
2023-04-04 16:33 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).