An attempt at backporting 2.1.16 from Debian sid to Debian jessie

Peter Lebbing peter at
Thu Dec 8 18:12:50 CET 2016

Hello dkg and list!

Let me start out by thanking Daniel Kahn Gillmor for all his work on GnuPG and
its Debian packages. And also thanks to all the other devs!

I'd like to use the latest GnuPG 2.1 on my Debian jessie machines. When the
Debian package went from version 2.1.11-7 to 2.1.11-7+exp1, it started providing
/usr/bin/gpg and the other stuff that was up till then provided by GnuPG 1.4.
Starting with stretch, if all works out, GnuPG 1.4 will no longer be providing
the major role it had in Debian so far.

I forked the Debian git repo for GnuPG 2.1 [1], and had a go at what was
primarily the reversal of the changes introduced by 2.1.11-7+exp1. You can find
the result at GitLab at [2].

I'm running this version myself now, and it all works so far (famous last words...).

I'm giving you all the loaded gun to shoot yourself in the foot. I do not
recommend my fork for general use, but rather as a service to people who really
want 2.1 and are prepared to deal with issues arising from having both 1.4 and
2.1 on the same system.[3]

I'm very interested in feedback! I'd like it if people check my changes, do they
seem okay to you? Did you run into issues? I'd also like to hear from people
succesfully using it, but don't feel obliged to tell me.

If you feel I shouldn't be doing this, we could discuss it further. Maybe we can
work out a deterring formulation for the README to prevent people installing it
:-). Or you convince me of my folly.

This version will replace jessie's 2.0.26 with 2.1.16, but it will install next
to GnuPG 1.4. However, mixing 1.4 and 2.1 is not for the faint of heart. There
are good reasons that dkg is choosing not to support 1.4 and 2.1 on the same
machine starting with Debian stretch: while on the surface they are compatible,
they quickly go out of sync regarding private keys and it can get interesting
with public keys as well. "Interesting" as in "May you live in interesting
times". not as in "Hey, that's interesting!"... that is, not a good thing at all.

*Use at your own risk! This is provided as-is without any warranties.*

I tried my best, but sometimes, your best isn't good enough... ;)

Oh, and I'm already behind. The latest and greatest is now 2.1.16-3, and I'm
still providing 2.1.16-2~dbbp8+1 [4].





[3] Hey, that's pretty good, I'll put that in the README.

[4] I means: Digital Brains BackPort Debian 8.x version 1. Same numbering scheme
as, different identifier.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161208/d25f2c51/attachment.sig>

More information about the Gnupg-users mailing list