Re: Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3
On 2018-10-23 15:35, Daniel Kahn Gillmor wrote:
Thanks to Adam for your ongoing work on the stable releases!
I just wanted to clarify a few points here.
On Tue 2018-10-23 08:57:08 +0100, Adam D. Barratt wrote:
An issue is that the gnupg update itself doesn't really qualify for
stable-updates any more than it qualifies for stable-security. The
changes to gnupg itself are at best security improvements, which isn't
justification for forcing all stretch users to install the new version
as a matter of urgency - indeed, if the new version of enigmail
relying on new functionality no-one would be suggesting pushing gnupg
urgently - nor, I imagine, backporting all of the mentioned features.
I would be pushing for a stable point release for GnuPG at least for
cryptographic defaults refresh, and the series of minor bugfixes that
resolve outstanding problems.
Sure, but that's not what I said. My distinction was between including
the gnupg update in the point release versus pushing it more urgently
via stable-updates. I never implied the updates shouldn't be released at
If that's the case, then either debian's policies or practices need to
change, or debian needs to get a more capable maintainer for GnuPG who
can figure out how to effectively navigate or avoid what feels like a
buck-passing deadlock between two (maybe three)
overworked/underresourced teams. I welcome any help in that regard.
FWIW I don't recognise that characterisation. Yes, I should have
confirmed the Security Team's intentions at an earlier point, but I
don't consider that buck-passing or the situation deadlocked.