Re: Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 932684@bugs.debian.org
Cc: kibi@debian.org, debian-boot@lists.debian.org
Subject: Re: Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 22 Aug 2019 11:32:49 +0100
Message-id: <[🔎] f3a6c0d946017a375212068ac01b6a8c@mail.adam-barratt.org.uk>
In-reply-to: <87sgpucpb2.fsf@fifthhorseman.net>
References: <156373892815.28353.9150633133137845051.reportbug@alice.fifthhorseman.net> <52ab653264d176cb80dd043594c5a0de48a4df3c.camel@adam-barratt.org.uk> <156373892815.28353.9150633133137845051.reportbug@alice.fifthhorseman.net> <87sgpucpb2.fsf@fifthhorseman.net>

Control: tags -1 + confirmed d-i

[full quote for KiBi's benefit]

On 2019-08-21 20:05, Daniel Kahn Gillmor wrote:

On Wed 2019-08-21 18:19:06 +0100, Adam D. Barratt wrote:

 * We adopt GnuPG's upstream approach of making keyserver access
   default to self-sigs-only.  This means that the keyserver cannot
   flood the user's keyring by default. (we do *not* adopt upstream's
   choice of import-clean for keyserver default, see
   https://dev.gnupg.org/T4628 for more explanation)


The introduction of this change in unstable (and since in testing)
apparently led to some confusion amongst, and queries from, members of

the project, so is likely to have a similar (but quite possiblylarger)

effect on the wider stable user base.

If we are to include it, I think it would therefore be wise to ensure
that it is accompanied by a NEWS entry which briefly explains the

change and its implications. (Relatedly, the further through thestable

cycle we get, the more awkward this would be to introduce.)


Thanks, that's entirely reasonable.  I've put this NEWS item into the
debian/buster branch on salsa.  Otherwise, the debdiff is the same.


diff --git a/debian/NEWS b/debian/NEWS
index 0a6a7440d..3005e935c 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,25 @@
+gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
+

+ In this version we adopt GnuPG's upstream approach of makingkeyserver

+  access default to self-sigs-only.  This defends against receiving

+ flooded OpenPGP certificates. To revert to the previous behavior(not

+  recommended!), add the following directive to ~/.gnupg/gpg.conf:
+
+    keyserver-options no-self-sigs-only
+

+ We also adopt keys.openpgp.org as the default keyserver, since itavoids+ the associated bandwidth waste of fetching third-partycertifications+ that will not be used. To revert to the older SKS keyserver network(not

+  recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
+
+    keyserver hkps://hkps.pool.sks-keyservers.net
+
+  Note: we do *not* adopt upstream's choice of import-clean for the
+  keyserver default, since it can lead to data loss, see
+  https://dev.gnupg.org/T4628 for more details.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 21 Aug 2019
14:53:47 -0400
+


Let me know if you want me to re-generate a full debdiff, or if you're
ok with this plus the previous debdiff (with an updated date on
debian/changelog to match debian/NEWS),


That's fine, thanks.

let me know whether i should go
ahead and upload.


This will need a d-i ack, so tagging + CCing.

Regards,

Adam

Reply to:

Follow-Ups:
- Re: Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: win32-loader_0.9.4+deb10u1_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by Date: Processed: Re: Early segfault in steal-ctty on Xen DomU install
Previous by thread: win32-loader_0.9.4+deb10u1_source.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by thread: Re: Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
Index(es):
- Date
- Thread