Re: Regarding ideas to replace gpgv with sqv
On Tue, Feb 02, 2021 at 01:58:38PM +0100, Neal H. Walfield wrote:
> Thanks for following up.
>
> On Tue, 02 Feb 2021 13:48:15 +0100,
> Julian Andres Klode wrote:
> > On Sun, Jan 31, 2021 at 02:01:02PM +0100, Neal H. Walfield wrote:
> > > On Thu, 28 Jan 2021 11:15:18 +0100,
> > > Julian Andres Klode wrote:
> > I don't care about these ports as we don't need to provide security support
> > for them, so well, so keeping frozen gpgv code paths around would work
> > (heck, they'll still get updated anyway, but no need to rush out updates
> > for stable releases in like 8 years or so when the existing stable
> > releases have all EOLed).
>
> Ok.
>
> > > If apt were to use SOP, you'd only have to maintain a single code
> > > path, but different distributions and different architectures could
> > > still use their preferred OpenPGP backend.
> >
> > Different backends have different bugs, so we do want to use the same
> > backends across major distros to ensure that we all see the same bugs.
>
> I agree with this concern.
>
>
> It sounds like you are suggesting that adding Sequoia directly to apt
> would be the best way forward given the trade offs. But, you didn't
> say that explicitly. Did I understand correctly?
I cannot say that. Work me says this needs extensive internal discussions
at Canonical to figure out what we can support on the Ubuntu side - Sequioa
is not an easy pill to swallow with its over 100 dependencies[1].
Maybe we should instead migrate from OpenPGP to using Ed25519 keys
directly, there is not a lot of value in OpenPGP after all, and a lot of
issues like the inability to deprecate MD5 or SHA1 for ages. OpenBSD
did that with its signify tool, and it seems to work well for them.
-- [1] List of librust-sequioa-openpgp+default-dev dependencies, source
packages
rust-adler32
rust-aho-corasick
rust-ansi-term
rust-anyhow
rust-ascii-canvas
rust-atty
rust-autocfg
rust-backtrace
rust-backtrace-sys
rust-base64
rust-bindgen
rust-bitflags
rust-bit-set
rust-bit-vec
rust-block-buffer
rust-block-padding
rust-buffered-reader
rust-byteorder
rust-byte-tools
rust-bzip2
rust-bzip2-sys
rust-cc
rust-cexpr
rust-cfg-if-0.1
rust-clang-sys
rust-clap
rust-crc32fast
rust-diff
rust-digest
rust-dirs
rust-dirs-sys
rust-docopt
rust-dyn-clone
rust-either
rust-ena
rust-fake-simd
rust-fixedbitset
rust-flate2
rust-generic-array
rust-getrandom
rust-glob
rust-heck
rust-idna
rust-indexmap
rust-itertools
rust-lalrpop
rust-lalrpop-util
rust-lazycell
rust-lazy-static
rust-libc
rust-log
rust-matches
rust-memchr
rust-memsec
rust-miniz-oxide
rust-nettle
rust-nettle-sys
rust-new-debug-unreachable
rust-nom
rust-opaque-debug
rust-peeking-take-while
rust-petgraph
rust-phf-shared
rust-pkg-config
rust-precomputed-hash
rust-proc-macro2
rust-proc-macro-error
rust-proc-macro-error-attr
rust-quote
rust-regex
rust-regex-syntax
rust-rustc-demangle
rust-rustc-hash
rust-sequoia-openpgp
rust-serde
rust-serde-derive
rust-sha1collisiondetection
rust-sha2
rust-shlex
rust-siphasher
rust-smallvec
rust-string-cache
rust-strsim
rust-structopt
rust-structopt-derive
rust-syn
rust-syn-mid
rust-term
rust-textwrap
rust-thiserror
rust-thiserror-impl
rust-thread-local
rust-typenum
rust-unicode-bidi
rust-unicode-normalization
rust-unicode-segmentation
rust-unicode-width
rust-unicode-xid
rust-unreachable
rust-vec-map
rust-version-check
rust-void
rust-winapi
rust-winapi-i686-pc-windows-gnu
rust-winapi-x86-64-pc-windows-gnu
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: