where can one find an official gnupg project statement on the state of sub project?

Peter Lebbing peter at digitalbrains.com
Thu Mar 5 15:10:25 CET 2015


On 05/03/15 11:33, Paulo Lopes wrote:
> as of today (March 5, 2015) ubuntu 14.04 LTS is still offering gnupg
>  1.4.16 even though there have been security issues fixed in 1.4.17,
>  1.4.18 and 1.4.19. In a way a uninformed user that is under the 
> impression that gnupg is secure due to the fact that the distro 
> he/she uses does not update the packages in time is using vulnerable 
> software while the project has already issued security fixes long 
> time ago...

I think you'll find that many distributions in fact backport security
fixes. Especially if they amount to more than a DoS. Debian, for
instance, has a policy to try and avoid new versions of software in
their stable version, favouring backporting fixes.

Why do you think an "official" (wouldn't be my words) package maintained
by an official GnuPG upstream, for instance, would be better than what
dkg does for Debian, for instance?

Which distribution's packaging are you dissatisfied with particularly,
and shouldn't you take this up with the maintainers of the package
rather than asking here for a different package for your distro?

I think sticking with your distribution's repository offers many
advantages: it works out of the box, you get security updates without
having to enter an additional repository in your package management, and
it leaves time for upstream GnuPG to focus on their software, leaving
packaging, and for instance packaging policy changes in a distribution,
to other people.

Plus, a fair number of distributions use GnuPG to authenticate the
software in their repository. It's part of the very core of the
distribution. It needs to be in the main repository, it needs to receive
security fixes. If you feel the packaging of GnuPG is lacking in your
distribution, you should definitely take that up with the maintainers there.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list