Bug#1119944: Unable to continue using gpgv on trixie
Dear Julian,
thank you very much for your fast response.
On Sun, 02 Nov 2025 18:55:10 +0100
Julian Andres Klode <jak@debian.org> wrote:
> Thank you for your bug report.
>
> Unfortunately GnuPG has decided to abandon the OpenPGP standard and is therefore being phased out as it's no longer compatible with standards compliant implementations.
I fully support relying on standards, but could you point out examples,
please? How can it be that GnuPG supported a standard for decades and
then suddenly abandoned it?
As far as I can tell GnuPG has compliance options which allow it to
operate in compliance with the OpenPGP standard/RFCs or even ancient PGP
implementations.
https://www.gnupg.org/documentation/manuals/gnupg-devel/Compliance-Options.html
Do these not work for APT?
> This means some repositories simply might not work with it anymore.
At this point, actually, quite the opposite seems to be true. sqv is
having problems working with existing repositories, e.g. from just a
very brief web search:
https://lists.debian.org/deity/2025/03/msg00008.html
https://github.com/flacon/flacon/issues/242
https://github.com/go-gitea/gitea/issues/33400
> It also does not implement safe coding practices, leading to command line options that are silently ignored in some cases because they were only meant to be used in some special modes, for example.
>
> GnuPG also does not implement a safe interface for clients to verify files against. It returns successful exit codes for failed verifications, failing exit codes for successful verifications, and as a result requires parsing a very complex status fd protocol that is very easy to get wrong and I'm sure we still have bugs lurking there.
>
> On the other side, sqv implements the OpenPGP standard, implements safe coding practices, and sensible default choices, allowing us to simply rely on it's exit status to be correct.
>
> I hope you understand that given the startling security properties of GnuPG and their desire to abandon the common standard leaves us little choice.
When you are making accusations at GnuPG I think it's fair so also hear
their opinion on this apparent GnuPG vs Sequoia fight going on:
https://gnupg.org/blog/20250117-aheinecke-on-sequoia.html
I think Andre does have some valid points.
I cannot follow how you come to the conclusion that GnuPG does not have
safe coding practices?
Checking the CVEs I tend to conclude otherwise. Whereas Sequoia, being
written in Rust, has had three CVEs in the last two years.
If there are issues with the GnuPG interface, I'm pretty sure those
could've been worked out together with GnuPG.
In any case, gpgv is still supported by APT and even pre-installed on
all architectures. But it will receive a lot less testing now, because
for mere mortals it's almost impossible to use it.
Its use is restricted to users of niche ports which by definition get
less testing.
To me the whole situation leaves the impression that Debian (or Ubuntu?)
unfortunately thinks it has to impose its will on users.
Fixing something which isn't broken.
When there are different groups who cannot agree on things, I would've
prefered that APT supports them all and the user can pick which one
they prefer; Debian picking a sensible default and/or leaving
existing systems function as they have been.
Regards,
Dennis
Reply to: