Re: Regarding ideas to replace gpgv with sqv
On Tue, Feb 02, 2021 at 01:58:38PM +0100, Neal H. Walfield wrote:
> Thanks for following up.
> On Tue, 02 Feb 2021 13:48:15 +0100,
> Julian Andres Klode wrote:
> > On Sun, Jan 31, 2021 at 02:01:02PM +0100, Neal H. Walfield wrote:
> > > On Thu, 28 Jan 2021 11:15:18 +0100,
> > > Julian Andres Klode wrote:
> > I don't care about these ports as we don't need to provide security support
> > for them, so well, so keeping frozen gpgv code paths around would work
> > (heck, they'll still get updated anyway, but no need to rush out updates
> > for stable releases in like 8 years or so when the existing stable
> > releases have all EOLed).
> > > If apt were to use SOP, you'd only have to maintain a single code
> > > path, but different distributions and different architectures could
> > > still use their preferred OpenPGP backend.
> > Different backends have different bugs, so we do want to use the same
> > backends across major distros to ensure that we all see the same bugs.
> I agree with this concern.
> It sounds like you are suggesting that adding Sequoia directly to apt
> would be the best way forward given the trade offs. But, you didn't
> say that explicitly. Did I understand correctly?
I cannot say that. Work me says this needs extensive internal discussions
at Canonical to figure out what we can support on the Ubuntu side - Sequioa
is not an easy pill to swallow with its over 100 dependencies.
Maybe we should instead migrate from OpenPGP to using Ed25519 keys
directly, there is not a lot of value in OpenPGP after all, and a lot of
issues like the inability to deprecate MD5 or SHA1 for ages. OpenBSD
did that with its signify tool, and it seems to work well for them.
--  List of librust-sequioa-openpgp+default-dev dependencies, source
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en