Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 932684@bugs.debian.org
Subject: Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 21 Aug 2019 15:05:05 -0400
Message-id: <[🔎] 87sgpucpb2.fsf@fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 932684@bugs.debian.org
In-reply-to: <[🔎] 52ab653264d176cb80dd043594c5a0de48a4df3c.camel@adam-barratt.org.uk>
References: <156373892815.28353.9150633133137845051.reportbug@alice.fifthhorseman.net> <[🔎] 52ab653264d176cb80dd043594c5a0de48a4df3c.camel@adam-barratt.org.uk> <156373892815.28353.9150633133137845051.reportbug@alice.fifthhorseman.net>

On Wed 2019-08-21 18:19:06 +0100, Adam D. Barratt wrote:
>>  * We adopt GnuPG's upstream approach of making keyserver access
>>    default to self-sigs-only.  This means that the keyserver cannot
>>    flood the user's keyring by default. (we do *not* adopt upstream's
>>    choice of import-clean for keyserver default, see
>>    https://dev.gnupg.org/T4628 for more explanation)
>
> The introduction of this change in unstable (and since in testing)
> apparently led to some confusion amongst, and queries from, members of
> the project, so is likely to have a similar (but quite possibly larger)
> effect on the wider stable user base.
>
> If we are to include it, I think it would therefore be wise to ensure
> that it is accompanied by a NEWS entry which briefly explains the
> change and its implications. (Relatedly, the further through the stable
> cycle we get, the more awkward this would be to introduce.)

Thanks, that's entirely reasonable.  I've put this NEWS item into the
debian/buster branch on salsa.  Otherwise, the debdiff is the same.  


diff --git a/debian/NEWS b/debian/NEWS
index 0a6a7440d..3005e935c 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,25 @@
+gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
+
+  In this version we adopt GnuPG's upstream approach of making keyserver
+  access default to self-sigs-only.  This defends against receiving
+  flooded OpenPGP certificates.  To revert to the previous behavior (not
+  recommended!), add the following directive to ~/.gnupg/gpg.conf:
+
+    keyserver-options no-self-sigs-only
+
+  We also adopt keys.openpgp.org as the default keyserver, since it avoids
+  the associated bandwidth waste of fetching third-party certifications
+  that will not be used.  To revert to the older SKS keyserver network (not
+  recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
+
+    keyserver hkps://hkps.pool.sks-keyservers.net
+
+  Note: we do *not* adopt upstream's choice of import-clean for the
+  keyserver default, since it can lead to data loss, see
+  https://dev.gnupg.org/T4628 for more details.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Wed, 21 Aug 2019 14:53:47 -0400
+


Let me know if you want me to re-generate a full debdiff, or if you're
ok with this plus the previous debdiff (with an updated date on
debian/changelog to match debian/NEWS), let me know whether i should go
ahead and upload.

Thanks for your thoughtfulness and review.

Regards,

        --dkg

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#934996: transition: xfce4-panel
Next by Date: Bug#887736: stretch-pu: package openvswitch/2.6.2~pre+git20161223-3
Previous by thread: Processed: Re: Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
Next by thread: Bug#932684: buster-pu: package gnupg2/2.2.12-1+deb10u1
Index(es):
- Date
- Thread