Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport

To: Emilio Pozuelo Monfort <pochu@debian.org>, debian-lts@lists.debian.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Fri, 14 Dec 2018 09:26:50 -0500
Message-id: <[🔎] 87mup8dw0l.fsf@curie.anarc.at>
In-reply-to: <[🔎] bfc66b55-1001-5d4e-4b5d-c5c656171b75@debian.org>
References: <[🔎] 87zht94219.fsf@curie.anarc.at> <[🔎] bfc66b55-1001-5d4e-4b5d-c5c656171b75@debian.org>

On 2018-12-14 09:08:42, Emilio Pozuelo Monfort wrote:
> On 13/12/2018 21:14, Antoine Beaupré wrote:
>> Hi,
>> 
>> This is the latest update in the Thunderbird / Enigmail changes that are
>> happening in jessie. I have built a series of test packages, partly from
>> stretch (gnupg2, enigmail) and partly from backports (libassuan,
>> libgcrypt, libgpg-error, npth) and uploaded them here:
>> 
>> https://people.debian.org/~anarcat/debian/jessie-lts/
>> 
>> I need people to test those packages, and not just enigmail users. Some
>> of those packages have pernicious and deep ramifications. I am
>> particularly worried about libgcrypt, which is used for example by
>> cryptsetup.
>
> I see that your tests have gone well so far (except for enigmail itself for
> unrelated reasons as you explain). This is great work, and I don't mean to push
> back on it. However given the impact of these library updates, I was wondering
> if we have considered to just mark enigmail as EOL in jessie? Obviously if we
> can keep supporting stuff we should do that, but as you say these library
> updates affect important unrelated rdeps so we need to weigh that.

I have repeatedly considered this, and received almost zero feedback on
the idea, other than "we should support our users", which I took as a go
ahead to actually complete the backport.

I have outlined the tradeoffs of this in the past. For me, the biggest
concern is that users will blindly install Enigmail from the app store
and that actually has security vulnerabilities because the jessie gpg
version is too old, as I understand it.

> BTW I have briefly looked at the versions you have backported, and I wonder why
> npth and libgpg-error have deb8u3 rather than deb8u1?

An oversight. I also need to use dh-autoreconf in enigmail as I have
been told it actually exists in jessie - not sure how I couldn't find
it. :)

> I haven't looked at your changes yet, but I will find some time to look at them
> and give these packages a try.

Thanks! The more testing we get, the better off we'll be. :)

A.

-- 
No animal has more liberty than the cat; but it buries the mess it
makes. The cat is the best anarchist. Until they learn that from the cat
I cannot respect them.
                        - For whom the bell tolls, Ernest Hemingway

Reply to:

Follow-Ups:
- Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

References:
- HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: Jessie update of faad2?
Next by Date: Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
Previous by thread: Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
Next by thread: Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
Index(es):
- Date
- Thread