Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + moreinfo

On Sun, 2019-07-21 at 15:55 -0400, Daniel Kahn Gillmor wrote:
> The version of GnuPG in debian buster (2.2.12-1) has a number of
> outstanding bugs related to OpenPGP certificate management and
> network access.  Many of these concerns are addressed in some of the
> patches in upstream's STABLE-BRANCH-2-2 series.
> 
> The debdiff (attached) is basically a slew of bugfix, documentation,
> stability, and efficiency patches cherry-picked from upstream, plus
> some additional changes to reduce the exposure of debian users to
> malicious attack on the SKS keyserver network, and some improvements
> in the continuous integration test suite.

Apologies for the delay in getting back to you regarding this.

On the whole, I'm happy to trust your judgement on the necessity of the
included changes, however this change in particular is one of the
reasons for the delay, while I considered it and sought wider input:

>  * We adopt GnuPG's upstream approach of making keyserver access
>    default to self-sigs-only.  This means that the keyserver cannot
>    flood the user's keyring by default. (we do *not* adopt upstream's
>    choice of import-clean for keyserver default, see
>    https://dev.gnupg.org/T4628 for more explanation)

The introduction of this change in unstable (and since in testing)
apparently led to some confusion amongst, and queries from, members of
the project, so is likely to have a similar (but quite possibly larger)
effect on the wider stable user base.

If we are to include it, I think it would therefore be wise to ensure
that it is accompanied by a NEWS entry which briefly explains the
change and its implications. (Relatedly, the further through the stable
cycle we get, the more awkward this would be to introduce.)

Regards,

Adam