Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 21 Jul 2019 15:55:28 -0400
Message-id: <[🔎] 156373892815.28353.9150633133137845051.reportbug@alice.fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 932684@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Control: affects -1 src:gnupg2

The version of GnuPG in debian buster (2.2.12-1) has a number of
outstanding bugs related to OpenPGP certificate management and network
access.  Many of these concerns are addressed in some of the patches
in upstream's STABLE-BRANCH-2-2 series.

The debdiff (attached) is basically a slew of bugfix, documentation,
stability, and efficiency patches cherry-picked from upstream, plus
some additional changes to reduce the exposure of debian users to
malicious attack on the SKS keyserver network, and some improvements
in the continuous integration test suite.

These additional changes address concerns due to the fact that the SKS
keyserver network is failing due to abuse, and GnuPG had used it as a
default keyserver.  These changes offer ways to work around the
problems our users face when fetching data off the network today.  In
particular:

 * We adopt GnuPG's upstream approach of making keyserver access
   default to self-sigs-only.  This means that the keyserver cannot
   flood the user's keyring by default. (we do *not* adopt upstream's
   choice of import-clean for keyserver default, see
   https://dev.gnupg.org/T4628 for more explanation)
   
 * We constrain the SKS CA to only validate
   hkps.pool.sks-keyservers.net (and we avoid using the system CAs for
   the SKS pool), thereby tightening the confidentiality constraints
   on TLS-wrapped keyserver access.

 * Since the SKS pool's distribution of third-party certifications
   will be ignored by default, we change the default keyserver to
   hkps://keys.openpgp.org, which won't waste the user's bandwidth for
   data that they won't even consider by default.  keys.openpgp.org is
   significantly more performant for read-only clients (most keyserver
   access) than any member of the SKS pool.

 * We also allow GnuPG to merge certificate updates (revocations,
   subkey rotations) which might be published on keys.openpgp.org
   without any user ID (see https://dev.gnupg.org/T4393 for more
   discussion).  This represents a security improvement for users who
   might otherwise use a locally-cached certificate that should have
   been revoked, or who cannot encrypt to a locally-cached certificate
   because they don't know about its new encryption-capable subkey.

 * migrate-pubring-from-classic-gpg fails when the user's keyring
   contains a flooded certificate -- we address this (#931385), and
   adds a test for it.

-------

A note about "web of trust" and the third-party certifications it
depends on:

Third-party certifications are still importable by default over WKD
and DANE/OPENPGPKEY access.  It is generally recommended to use those
mechanisms where providers offer them, using --locate-key by e-mail
address instead of --search.

A user who wants to import arbitrary third-party certifications via
HKP or HKPS can still do so by identifying their trusted keyserver
source and indicating that third-party certifications are OK.  for
example:

    --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options no-self-sigs-only

-------

Finally, we add an additional simple test for ci.debian.org, and we
adjust the gpgv-win32 ci test so that it will only run on i386 testers
(#905563).  continuous integration for the win! :)

The changelog entry provides this summary:

gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium

  * drop unneeded patch for printing revocation certificates
  * backport bugfix and stability patches from upstream 2.2.13
  * backport bugfix and stability patches from upstream 2.2.14
  * backport documentation, stability, ssh, and WKD patches from upstream 2.2.15
  * backport documentation and bugfix patches from upstream 2.2.16
  * import bugfixes and cleanup around secret key handling from 2.2.14
  * backport bugfixes, documentation, WKD, and keyserver fixes from 2.2.17
  * import efficiency and security fixes from upstream STABLE-BRANCH-2-2
  * avoid using SKS pool CA unless the keyserver is hkps.pool.sks-keyservers.net
  * drop import-clean from default keyserver options, to avoid data loss
  * use keys.openpgp.org as the default keyserver
  * enable merging certificate updates even if update has no user ID
  * update Vcs-Git: to point to debian/buster branch
  * Adopt migrate-pubring-from-classic-gpg robustness fixes (Closes: #931385)
  * add new CI test: debian/tests/simple-tests
  * debian/tests/gpgv-win32: make arch-specific (Closes: #905563)

 -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 21 Jul 2019 15:39:05 -0400


I recognize that this is a lot of changes, but upstream's 2.2 branch
is intended to be stable.  (most of the GnuPG development work is
happening on the 2.3 branch, and most of the work on 2.2 is just
backports of bugfixes) These changes are also visible on the
debian/buster branch on https://salsa.debian.org/debian/gnupg2.

So another option, if the release-team prefers, would be to move GnuPG
on buster to 2.2.17, with some of the additional changes mentioned
above -- that would involve more upstream changes that are not
currently included in this series, but it would also mean that our
versions are less divergent from what upstream believes the shipped
version of gnupg is.  Please let me know if you'd prefer that i take
that approach instead of these patch queues.

Fwiw, i don't think that GnuPG upstream is as stable as i would
personally like it to be, but the set of changes i've included here
attempt to minimize the amount of negative disruption that a user
might experience from the upgrade, while still ensuring that the user
can deal with the current reality of how OpenPGP certificates are
distributed on the public Internet.

Regards,

        --dkg

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Attachment: gnupg2_2.2.12-1_2.2.12-1+deb10u1.debdiff.gz
Description: application/gzip

Reply to:

Follow-Ups:
- Processed: buster-pu: package gnupg2/2.2.12-1+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Processed: buster-pu: package gnupg2/2.2.12-1+deb10u1
Next by Date: Bug#931659: transition: rm python2
Previous by thread: Processed: Re: Bug#932665: stretch-pu: package systemd/232-25+deb9u12
Next by thread: Processed: buster-pu: package gnupg2/2.2.12-1+deb10u1
Index(es):
- Date
- Thread