[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#910398: stretch-pu: package gnupg2/2.1.18-8~deb9u3

On 2018-10-23 15:35, Daniel Kahn Gillmor wrote:
Thanks to Adam for your ongoing work on the stable releases!

I just wanted to clarify a few points here.

On Tue 2018-10-23 08:57:08 +0100, Adam D. Barratt wrote:
An issue is that the gnupg update itself doesn't really qualify for
stable-updates any more than it qualifies for stable-security. The
changes to gnupg itself are at best security improvements, which isn't
justification for forcing all stretch users to install the new version
as a matter of urgency - indeed, if the new version of enigmail weren't relying on new functionality no-one would be suggesting pushing gnupg so
urgently - nor, I imagine, backporting all of the mentioned features.

I would be pushing for a stable point release for GnuPG at least for the
cryptographic defaults refresh, and the series of minor bugfixes that
resolve outstanding problems.

Sure, but that's not what I said. My distinction was between including the gnupg update in the point release versus pushing it more urgently via stable-updates. I never implied the updates shouldn't be released at all.

If that's the case, then either debian's policies or practices need to
change, or debian needs to get a more capable maintainer for GnuPG who
can figure out how to effectively navigate or avoid what feels like a
buck-passing deadlock between two (maybe three)
overworked/underresourced teams.  I welcome any help in that regard.

FWIW I don't recognise that characterisation. Yes, I should have confirmed the Security Team's intentions at an earlier point, but I don't consider that buck-passing or the situation deadlocked.



Reply to: