Report forwarded
to debian-bugs-dist@lists.debian.org, pkg-gnupg-maint@lists.alioth.debian.org, security@debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Fri, 05 Oct 2018 22:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
New Bug report received and forwarded. Copy sent to pkg-gnupg-maint@lists.alioth.debian.org, security@debian.org, Debian Release Team <debian-release@lists.debian.org>.
(Fri, 05 Oct 2018 22:51:04 GMT) (full text, mbox, link).
Package: release.debian.org
User: release.debian.org@packages.debian.org
X-Debbugs-Cc: pkg-gnupg-maint@lists.alioth.debian.org, security@debian.org
Usertags: pu
Tags: stretch
Severity: normal
Control: affects -1 src:gnupg2 enigmail
Control: block 909000 -1
I'd like to update the version of GnuPG in debian stable with a series
of targeted bugfixes (most of which are backported from upstream).
There are four complementary reasons, which i explain in more detail
below:
* ptrace hardening for scdaemon
* bugfixes that target some common workflows
* updating cryptographic defaults
* fixing enigmail in stretch
All of the patches that implement these changes have been in buster
for many months (either as upstream improvements or debian-specific
improvements).
Debian logistics
================
I note that this is *not* itself a security fix -- these fixes do not
address a specific vulnerability in stretch's version of GnuPG.
However, they do have security implications for stretch, because they
are needed in order to support enigmail since the thunderbird 60
upgrade.
If the release team or the security team (x-debbug-cc'ed here) would
prefer that we handle this via stretch-security instead of
stretch-proposed-updates, that's fine with me: please let me know.
I've attached a debdiff below, and the git history of these changes is
also available on the debian/stretch git branch on
https://salsa.debian.org/debian/gnupg2 (commit
f74eb5b2898ced14f910a7e4c7a28cc295dbd3cb)
The debdiff contains some minor updates to patch metadata that makes it
easier to work with git-buildpackage going forward. I apologize for
this extra noise, but syncing up with gbp like this should make
maintenance of any future changes easier.
Justification for changes
=========================
scdaemon hardening
------------------
scdaemon currently can hold sensitive data, comparable to the data
held by gpg-agent. gpg-agent currently blocks ptrace access to its
internal RAM. scdaemon now also blocks ptrace. (see: #878952)
common workflow bugfixes
------------------------
* Dirmngr currently fails on IPv6-only systems. Enable dirmngr to
query nameservers over IPv6. (see: #862282)
* Malformed keys are currently rejected rather than being cleaned up.
(some keys are malformed on the public keyservers). Clean keys
before importing. (see: #906545)
update cryptographic defaults
-----------------------------
A user of debian stable who creates a key today will have a default
expiration date of two years, well into 2020. Currently in stretch,
the default asymmetric key is 2048-bit RSA.
None of the reasonable guides to cryptographic strength think that
2048-bit RSA keys should be used past 2020. (see for example ECRYPT or
NIST recommendations).
Furthermore, AES128 today is considered slightly riskier than AES256,
due in part to batch attacks and its smaller margin of safety against
quantum cryptanalysis (see for example, the Modern TLS recommendations
at https://wiki.mozilla.org/Security/Server_Side_TLS, and djb's
http://blog.cr.yp.to/20151120-batchattacks.html).
Update the cryptographic defaults to create 3072-bit RSA keys, and to
prefer AES256 over AES128 when all recipients support it.
fixing Enigmail
---------------
As Thunderbird 60 is now in stretch, enigmail is broken (see
https://bugs.debian.org/909000) :/
This can be fixed by importing the current (buster/stretch) enigmail
into stretch as well, but this updated version of enigmail depends on
bugfixes in GnuPG that are not yet in debian stretch.
Backport a series of minor bugfixes and small functionality
improvements to enable enigmail's test suite to pass cleanly. From
debian/changelog, those are:
* backport --no-symkey-cache
* backport improved import and export filtering
* backport display of revocation certificates
* backport stripping unusable subkey material during export-minimal
* backport fix to make --dry-run work when listing secret keys
* backport fix showing secret keys when listing keys
Testing
=======
I've tested these changes on an x86_64 system running debian stretch.
The GnuPG test suite all passes, and an updated/backported version of
enigmail 2.0.8-5 also works on that platform.
I welcome any feedback on this! sorry it has taken so long to produce
this series of changes.
Regards,
--dkg
Added indication that 910398 affects src:gnupg2 and enigmail
Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net>
to submit@bugs.debian.org.
(Fri, 05 Oct 2018 22:51:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Thu, 11 Oct 2018 13:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Georg Faerber <georg@riseup.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Thu, 11 Oct 2018 13:06:03 GMT) (full text, mbox, link).
Hi dkg, all,
Thanks a lot for your hard work on this, highly appreciated.
On 18-10-05 17:48:10, Daniel Kahn Gillmor wrote:
> Testing
> =======
>
> I've tested these changes on an x86_64 system running debian stretch.
> The GnuPG test suite all passes, and an updated/backported version of
> enigmail 2.0.8-5 also works on that platform.
>
> I welcome any feedback on this! sorry it has taken so long to produce
> this series of changes.
Although I'm not using Thunderbird and Enigmail myself, I've rolled out
this fix to a couple of friends on Monday. So far, they're pretty happy,
no problems found.
Cheers,
Georg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Thu, 11 Oct 2018 15:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Thu, 11 Oct 2018 15:03:03 GMT) (full text, mbox, link).
On Thu 2018-10-11 13:02:18 +0000, Georg Faerber wrote:
> Although I'm not using Thunderbird and Enigmail myself, I've rolled out
> this fix to a couple of friends on Monday. So far, they're pretty happy,
> no problems found.
thanks for this testing and feedback, Georg!
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Mon, 15 Oct 2018 13:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Mon, 15 Oct 2018 13:21:03 GMT) (full text, mbox, link).
Hi release team, security team:
over in #910398, i wrote:
On Fri 2018-10-05 17:48:10 -0500, Daniel Kahn Gillmor wrote:
> I'd like to update the version of GnuPG in debian stable with a series
> of targeted bugfixes (most of which are backported from upstream).
>
> There are four complementary reasons, which i explain in more detail
> below:
>
> * ptrace hardening for scdaemon
> * bugfixes that target some common workflows
> * updating cryptographic defaults
> * fixing enigmail in stretch
>
> All of the patches that implement these changes have been in buster
> for many months (either as upstream improvements or debian-specific
> improvements).
I'd appreciate some followup on this from the debian teams -- am i
barking up the wrong tree? should i take a different approach? or do i
(and the stretch users of enigmail) just need to wait a little while
longer for review?
Many thanks for your work in keeping debian stable safe, healthy, and
useful.
Regards,
--dkg
PS thanks to Georg for his testing of these changes, as noted in
#910398!
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Mon, 15 Oct 2018 20:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Meurer <jonas@freesources.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Mon, 15 Oct 2018 20:48:03 GMT) (full text, mbox, link).
Hello,
again, thanks a lot to dkg for your hard work to bring Enigmail 2.0 to
Stretch! Once again it's amazing to follow your work and see how
thorough you are :)
On Sun, 14 Oct 2018 18:58:33 -0400 Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> Hi release team, security team:
>
> over in #910398, i wrote:
>
> On Fri 2018-10-05 17:48:10 -0500, Daniel Kahn Gillmor wrote:
> > I'd like to update the version of GnuPG in debian stable with a series
> > of targeted bugfixes (most of which are backported from upstream).
> >
> > There are four complementary reasons, which i explain in more detail
> > below:
> >
> > * ptrace hardening for scdaemon
> > * bugfixes that target some common workflows
> > * updating cryptographic defaults
> > * fixing enigmail in stretch
> >
> > All of the patches that implement these changes have been in buster
> > for many months (either as upstream improvements or debian-specific
> > improvements).
>
> I'd appreciate some followup on this from the debian teams -- am i
> barking up the wrong tree? should i take a different approach? or do i
> (and the stretch users of enigmail) just need to wait a little while
> longer for review?
>
> Many thanks for your work in keeping debian stable safe, healthy, and
> useful.
Due to the intrusive changes I can imagine that the responsible teams
need some time for the decision. Still it would be great if you could
send a short note on whether you discuss this internally and whether you
consider it a valid approach at all. That would help a lot with waiting.
As dkg already explained, right now, everybody who uses Enigmail on
Stretch is stuck with vulnerable Thunderbird 52 packages. Which,
unfortunately, means a *lot* of users. Thus I consider any necessary
steps (or prerequisites) to get Enigmail 2.0 into Stretch pretty urgent.
> PS thanks to Georg for his testing of these changes, as noted in
> #910398!
Ack, thanks Georg!
Cheers
jonas
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Sat, 20 Oct 2018 09:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sat, 20 Oct 2018 09:45:03 GMT) (full text, mbox, link).
On Fri, 2018-10-05 at 17:48 -0500, Daniel Kahn Gillmor wrote:
> I'd like to update the version of GnuPG in debian stable with a
> series of targeted bugfixes (most of which are backported from
> upstream).
[...]
> I note that this is *not* itself a security fix -- these fixes do not
> address a specific vulnerability in stretch's version of GnuPG.
> However, they do have security implications for stretch, because they
> are needed in order to support enigmail since the thunderbird 60
> upgrade.
>
> If the release team or the security team (x-debbug-cc'ed here) would
> prefer that we handle this via stretch-security instead of
> stretch-proposed-updates, that's fine with me: please let me know.
Any chance of an explicit opinion from the Security Team here? [CCed]
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Sun, 21 Oct 2018 10:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sun, 21 Oct 2018 10:09:05 GMT) (full text, mbox, link).
On Sat, Oct 20, 2018 at 10:43:31AM +0100, Adam D. Barratt wrote:
> On Fri, 2018-10-05 at 17:48 -0500, Daniel Kahn Gillmor wrote:
> > I'd like to update the version of GnuPG in debian stable with a
> > series of targeted bugfixes (most of which are backported from
> > upstream).
> [...]
> > I note that this is *not* itself a security fix -- these fixes do not
> > address a specific vulnerability in stretch's version of GnuPG.
> > However, they do have security implications for stretch, because they
> > are needed in order to support enigmail since the thunderbird 60
> > upgrade.
> >
> > If the release team or the security team (x-debbug-cc'ed here) would
> > prefer that we handle this via stretch-security instead of
> > stretch-proposed-updates, that's fine with me: please let me know.
>
> Any chance of an explicit opinion from the Security Team here? [CCed]
That's all bugfixes related to enabling Enigmail and nothing in their
is itself security-related, so I think that's something for the point
update, not security.debian.org
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Sun, 21 Oct 2018 11:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Georg Faerber <georg@riseup.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sun, 21 Oct 2018 11:24:02 GMT) (full text, mbox, link).
Hi,
On 18-10-21 12:05:31, Moritz Mühlenhoff wrote:
> That's all bugfixes related to enabling Enigmail and nothing in their
> is itself security-related, so I think that's something for the point
> update, not security.debian.org
That's quite unfortunate to hear, and I don't share this opinion (even
if this doesn't count in this case, I guess), for reasons outlined in
the initial mail by dkg of this bug report in the "fixing enigmail"
section.
As of now, enigmail, which people use to secure their communication, is
broken, therefore, IMHO, fixing it would be indeed a security fix.
I spoke to quite some "end users" during the last weeks about this and
heard the problems they've run into; personally, to not further delay
this, I would very much appreciate if this could be handled via
security.d.o.
Thanks for listening and for your work,
as always, highly appreciated,
cheers,
Georg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Sun, 21 Oct 2018 11:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sun, 21 Oct 2018 11:51:03 GMT) (full text, mbox, link).
To: Georg Faerber <georg@riseup.net>, 910398@bugs.debian.org
Cc: Moritz Mühlenhoff <jmm@inutil.org>,
"Adam D. Barratt" <adam@adam-barratt.org.uk>,
Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
team@security.debian.org
Hi,
On Sun, Oct 21, 2018 at 11:21:36AM +0000, Georg Faerber wrote:
> Hi,
>
> On 18-10-21 12:05:31, Moritz Mühlenhoff wrote:
> > That's all bugfixes related to enabling Enigmail and nothing in their
> > is itself security-related, so I think that's something for the point
> > update, not security.debian.org
>
> That's quite unfortunate to hear, and I don't share this opinion (even
> if this doesn't count in this case, I guess), for reasons outlined in
> the initial mail by dkg of this bug report in the "fixing enigmail"
> section.
>
> As of now, enigmail, which people use to secure their communication, is
> broken, therefore, IMHO, fixing it would be indeed a security fix.
>
> I spoke to quite some "end users" during the last weeks about this and
> heard the problems they've run into; personally, to not further delay
> this, I would very much appreciate if this could be handled via
> security.d.o.
Some packages can be 'fast-tracked' from proposed-updates before a
point release though still via the 'stable-updates' mechanism[1]. It
was announced back in [2], and might be an option here if the SRM can
be convinced it is needed (a.k.a if Adam gives it's okay here).
[1] https://wiki.debian.org/StableUpdates
[2] https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Tue, 23 Oct 2018 07:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to ilf <ilf@zeromail.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 23 Oct 2018 07:45:10 GMT) (full text, mbox, link).
Wow, thanks a lot for your awesome work on both enigmail and gnupg, dkg!
I agree that this should be rolled out to users soon.
The classic path of using "stretch-proposed-updates" means that it would
land in the next point release (9.6). However, an ETA of that is "not
yet planned", according to https://release.debian.org/
Using "stretch-updates", as Salvatore proposed, would accelerate this.
This surely qualifies for the criteria described in the announcement.
https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html
However, it's probably "overqualified" for "stretch-updates", since one
criteria is being "urgent and not of a security nature". I would argue
that this is indeed "of a security nature". For one, it hardens scdaemon
and updates cryptographic defaults, both are "of a security nature".
Additionaly, it allows security updates (fixing vulnerabilities) for
other packages (thunderbird, enigmail) to be shipped in Debian stable.
Debian made the correct choice to ship updated ESR releases of firefox
and thunderbird (and chromium) instead of trying to backport all
cherry-picked CVE patches. IMHO, then it should also try to keep
important dependencies working. Enigmail is widely used, essential for
many thunderbird users - and "security" software. dkg has done a lot of
work to package enigmail 2 work in Debian.
In addition, dkg's packaging has an outstanding track record. And this
gnupg update has been tested, as shown in the tickets.
All in all, I'm for fast-tracking this via "stretch-security".
Thanks, and keep up the good work!
Daniel Kahn Gillmor:
> However, they do have security implications for stretch, because they
> are needed in order to support enigmail since the thunderbird 60
> upgrade.
--
ilf
If you upload your address book to "the cloud", I don't want to be in it.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Tue, 23 Oct 2018 08:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 23 Oct 2018 08:00:06 GMT) (full text, mbox, link).
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Salvatore Bonaccorso <carnil@debian.org>, 910398@bugs.debian.org
Cc: Georg Faerber <georg@riseup.net>, Moritz Mühlenhoff
<jmm@inutil.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
team@security.debian.org, Salvatore Bonaccorso
<salvatore.bonaccorso@gmail.com>
On 2018-10-21 12:48, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sun, Oct 21, 2018 at 11:21:36AM +0000, Georg Faerber wrote:
>> Hi,
>>
>> On 18-10-21 12:05:31, Moritz Mühlenhoff wrote:
>> > That's all bugfixes related to enabling Enigmail and nothing in their
>> > is itself security-related, so I think that's something for the point
>> > update, not security.debian.org
>>
>> That's quite unfortunate to hear, and I don't share this opinion (even
>> if this doesn't count in this case, I guess), for reasons outlined in
>> the initial mail by dkg of this bug report in the "fixing enigmail"
>> section.
>>
>> As of now, enigmail, which people use to secure their communication,
>> is
>> broken, therefore, IMHO, fixing it would be indeed a security fix.
>>
>> I spoke to quite some "end users" during the last weeks about this and
>> heard the problems they've run into; personally, to not further delay
>> this, I would very much appreciate if this could be handled via
>> security.d.o.
>
> Some packages can be 'fast-tracked' from proposed-updates before a
> point release though still via the 'stable-updates' mechanism[1]. It
> was announced back in [2], and might be an option here if the SRM can
> be convinced it is needed (a.k.a if Adam gives it's okay here).
An issue is that the gnupg update itself doesn't really qualify for
stable-updates any more than it qualifies for stable-security. The
changes to gnupg itself are at best security improvements, which isn't
justification for forcing all stretch users to install the new version
as a matter of urgency - indeed, if the new version of enigmail weren't
relying on new functionality no-one would be suggesting pushing gnupg so
urgently - nor, I imagine, backporting all of the mentioned features.
It's also going to need a d-i sign-off, because gnupg produces a udeb.
As a general note, in case anyone's actually reading this rather than
just hitting reply - thank you for your interest, but at this point we
really don't need repeated follow-ups telling us how you think this
should be handled via the security archive - the Security Team have
already indicated that it won't be - or how the Release Team aren't
dealing with things quickly enough. I at least struggle for Debian time
recently and need to be able to focus on the actual requests. I'm one of
the people who wrote the guidelines for stable-updates, so I know what
it says and what it means. :-)
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Tue, 23 Oct 2018 14:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 23 Oct 2018 14:39:05 GMT) (full text, mbox, link).
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, Salvatore Bonaccorso <carnil@debian.org>, 910398@bugs.debian.org
Cc: Georg Faerber <georg@riseup.net>, Moritz Mühlenhoff
<jmm@inutil.org>, team@security.debian.org, Salvatore Bonaccorso
<salvatore.bonaccorso@gmail.com>, Roger Shimizu <rogershimizu@gmail.com>,
debian-boot@lists.debian.org
Thanks to Adam for your ongoing work on the stable releases!
I just wanted to clarify a few points here.
On Tue 2018-10-23 08:57:08 +0100, Adam D. Barratt wrote:
> An issue is that the gnupg update itself doesn't really qualify for
> stable-updates any more than it qualifies for stable-security. The
> changes to gnupg itself are at best security improvements, which isn't
> justification for forcing all stretch users to install the new version
> as a matter of urgency - indeed, if the new version of enigmail weren't
> relying on new functionality no-one would be suggesting pushing gnupg so
> urgently - nor, I imagine, backporting all of the mentioned features.
I would be pushing for a stable point release for GnuPG at least for the
cryptographic defaults refresh, and the series of minor bugfixes that
resolve outstanding problems.
I brought up the idea of a cryptographic defaults refresh nearly a year
ago [0], and it's overdue (my fault). i don't think it's responsible
for us to ship a new stable installation in 2019 that by default creates
2048-bit RSA keys that claim to be valid through 2021.
The problems with bugs like handling import of malformed keys (#906545),
for example, are bad enough to have already caused extra labor in the
form of stretch-backports maintenance to work around the fact that these
bugs are present in debian stretch. Thanks are due to Roger Shimizu
(cc'ed) for handling that ongoing task! Note that malformed keys are
significantly more present today than they were when stretch was
released, due to ongoing attacks on the keyserver infrastructure. :(
The fact that the upstream-supported version of enigmail that works with
the upcoming stretch version of thunderbird depends on these fixes is,
as you say, another reason to suggest inclusion in debian stretch.
> It's also going to need a d-i sign-off, because gnupg produces a udeb.
I've added debian-boot@lists.debian.org in the hopes that someone from
there can supply a d-i sign-off.
I've done my best with this series of patches to minimize disruption to
this critical part of debian stretch while still supporting the shifting
network ecosystem that depends on it. If these changes cause any
significant disruption, please point it out to me so that i can try to
repair it.
But if debian's policies and practices don't have a way to get these
fixes to stable users who might depend on them for matters of critical
security (even if the gnupg updates are not in themselves deemed to be
critical security updates), then we're failing our stable users.
If that's the case, then either debian's policies or practices need to
change, or debian needs to get a more capable maintainer for GnuPG who
can figure out how to effectively navigate or avoid what feels like a
buck-passing deadlock between two (maybe three)
overworked/underresourced teams. I welcome any help in that regard.
All the best,
--dkg
[0] https://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/2017-October/006148.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Tue, 23 Oct 2018 15:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 23 Oct 2018 15:21:08 GMT) (full text, mbox, link).
On 2018-10-23 15:35, Daniel Kahn Gillmor wrote:
> Thanks to Adam for your ongoing work on the stable releases!
>
> I just wanted to clarify a few points here.
>
> On Tue 2018-10-23 08:57:08 +0100, Adam D. Barratt wrote:
>> An issue is that the gnupg update itself doesn't really qualify for
>> stable-updates any more than it qualifies for stable-security. The
>> changes to gnupg itself are at best security improvements, which isn't
>> justification for forcing all stretch users to install the new version
>> as a matter of urgency - indeed, if the new version of enigmail
>> weren't
>> relying on new functionality no-one would be suggesting pushing gnupg
>> so
>> urgently - nor, I imagine, backporting all of the mentioned features.
>
> I would be pushing for a stable point release for GnuPG at least for
> the
> cryptographic defaults refresh, and the series of minor bugfixes that
> resolve outstanding problems.
Sure, but that's not what I said. My distinction was between including
the gnupg update in the point release versus pushing it more urgently
via stable-updates. I never implied the updates shouldn't be released at
all.
[...]
> If that's the case, then either debian's policies or practices need to
> change, or debian needs to get a more capable maintainer for GnuPG who
> can figure out how to effectively navigate or avoid what feels like a
> buck-passing deadlock between two (maybe three)
> overworked/underresourced teams. I welcome any help in that regard.
FWIW I don't recognise that characterisation. Yes, I should have
confirmed the Security Team's intentions at an earlier point, but I
don't consider that buck-passing or the situation deadlocked.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Tue, 23 Oct 2018 19:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 23 Oct 2018 19:03:03 GMT) (full text, mbox, link).
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 910398@bugs.debian.org,
Salvatore Bonaccorso
<carnil@debian.org>
Cc: Georg Faerber <georg@riseup.net>, Moritz Mühlenhoff
<jmm@inutil.org>, team@security.debian.org, Salvatore Bonaccorso
<salvatore.bonaccorso@gmail.com>, Roger Shimizu <rogershimizu@gmail.com>,
debian-boot@lists.debian.org
On Tue, 2018-10-23 at 10:35 -0400, Daniel Kahn Gillmor wrote:
> The fact that the upstream-supported version of enigmail that works
> with the upcoming stretch version of thunderbird depends on these
> fixes is, as you say, another reason to suggest inclusion in debian
> stretch.
From discussions elsewhere, I understand that the "raw" upstream
enigmail - i.e. installed via upstream's addons service - is actually
already compatible with the new Thunderbird version, and the problem
only affects the Debian packages - is that correct? (Specifically,
upstream includes some kind of compatibility shim, which is not shipped
in our packages for DFSG reasons.)
> > It's also going to need a d-i sign-off, because gnupg produces a
> > udeb.
>
> I've added debian-boot@lists.debian.org in the hopes that someone
> from there can supply a d-i sign-off.
Explicitly CCing KiBi is generally more effective, as -boot@ is a
fairly busy list at times. I imagine he'll want the SRM review
completed first, but that also depends on whether the changes actually
impact d-i's usage, which I'm not entirely clear on - could you provide
any insight there?
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Tue, 23 Oct 2018 20:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 23 Oct 2018 20:51:07 GMT) (full text, mbox, link).
Hi Adam--
On Tue 2018-10-23 16:18:05 +0100, Adam D. Barratt wrote:
> Sure, but that's not what I said. My distinction was between including
> the gnupg update in the point release versus pushing it more urgently
> via stable-updates. I never implied the updates shouldn't be released at
> all.
thanks for the clarification, i didn't understand that distinction. I'm
glad you're considering it at least for the point release.
> FWIW I don't recognise that characterisation. Yes, I should have
> confirmed the Security Team's intentions at an earlier point, but I
> don't consider that buck-passing or the situation deadlocked.
fwiw, i'd heard privately earlier from the security team that they don't
see this fix as in their bailiwick, but they hadn't responded to my
requests for comments in public on the BTS. So the deadlock
misperception may have been due to what looked like a longer delay from
my vantage point.
I'm glad it's not deadlock!
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Tue, 23 Oct 2018 20:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 23 Oct 2018 20:51:09 GMT) (full text, mbox, link).
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 910398@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Cc: Georg Faerber <georg@riseup.net>, Moritz Mühlenhoff
<jmm@inutil.org>, team@security.debian.org, Salvatore Bonaccorso
<salvatore.bonaccorso@gmail.com>, Roger Shimizu <rogershimizu@gmail.com>,
debian-boot@lists.debian.org
On Tue 2018-10-23 20:00:06 +0100, Adam D. Barratt wrote:
> From discussions elsewhere, I understand that the "raw" upstream
> enigmail - i.e. installed via upstream's addons service - is actually
> already compatible with the new Thunderbird version, and the problem
> only affects the Debian packages - is that correct? (Specifically,
> upstream includes some kind of compatibility shim, which is not shipped
> in our packages for DFSG reasons.)
the version of enigmail shipped in the mozilla add-ons has at least two
problems, both arguably DFSG-free-related, and both described in
#909000, i believe.
0) it ships a pre-built copy of OpenPGP.js, which i have not been able
to build directly in debian due to a deep dependency mess (see #787774)
1) by default it downloads a binary from the internet, stores it in the
user's thunderbird profile, and executes it as the user without
checking its integrity with anything beyond an HTTPS (see #891882)
Encouraging users with sensitive communication needs to install
something with either of these choices made this way is pretty
problematic. And users who install enigmail from the add-on store will
most likely never revert to the debian packages that fix these
misfeatures :/
> Explicitly CCing KiBi is generally more effective, as -boot@ is a
> fairly busy list at times. I imagine he'll want the SRM review
> completed first, but that also depends on whether the changes actually
> impact d-i's usage, which I'm not entirely clear on - could you provide
> any insight there?
d-i's usage is limited to gpgv; the gpgv-udeb is deliberately narrowly
targeted, since all d-i needs from gpgv is (a) interpret the debian
distro public keys, and (b) verify signatures on the apt manifests.
None of the changes in this update should affect gpgv's behavior in
either of these tasks.
hope that helps to clarify,
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Sat, 27 Oct 2018 15:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sat, 27 Oct 2018 15:51:04 GMT) (full text, mbox, link).
Control: tags -1 + confirmed d-i
On Fri, 2018-10-05 at 17:48 -0500, Daniel Kahn Gillmor wrote:
> I'd like to update the version of GnuPG in debian stable with a
> series of targeted bugfixes (most of which are backported from
> upstream).
[...]
> The debdiff contains some minor updates to patch metadata that makes
> it easier to work with git-buildpackage going forward. I apologize
> for this extra noise, but syncing up with gbp like this should make
> maintenance of any future changes easier.
As it turns out, that was quite a lot of noise indeed - about 1/3 of
the ~3300 line diff, from my visual scan-and-chop. Apologies for the
delay, but I've finally managed to carve out a block of time to handle
this.
I did notice that some of the changes result in differing output from
invocations of gnupg in some circumstances - I hope we don't end up
with further updates if those turn out to break other tools.
I know you mentioned that the changes shouldn't affect gpgv
(particularly as used in d-i), but the udeb still means that the upload
needs an explicit ack, so I've CCed KiBi and tagged the bug
appropriately.
In terms of whether the update should be pushed via stable-updates, it
looks like we'll be freezing for the next point release in a week's
time, so it may not be worth the extra work at this point.
Are you planning on handling the enigmail upload as well? I can't see
an open p-u bug for it so, given the timings, would suggest that start
getting progressed ASAP so that we can make sure that it makes the
point release.
Regards,
Adam
Added tag(s) confirmed and d-i.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to 910398-submit@bugs.debian.org.
(Sat, 27 Oct 2018 15:51:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Sun, 28 Oct 2018 15:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sun, 28 Oct 2018 15:03:06 GMT) (full text, mbox, link).
On Sat 2018-10-27 16:47:27 +0100, Adam D. Barratt wrote:
> As it turns out, that was quite a lot of noise indeed - about 1/3 of
> the ~3300 line diff, from my visual scan-and-chop. Apologies for the
> delay, but I've finally managed to carve out a block of time to handle
> this.
apologies for the noise. i appreciate your handling it. It will make
any possible future cleanup/fixit work on this package much simpler.
> I know you mentioned that the changes shouldn't affect gpgv
> (particularly as used in d-i), but the udeb still means that the upload
> needs an explicit ack, so I've CCed KiBi and tagged the bug
> appropriately.
thank you! should i go ahead with the upload to land it in proposed, or
should i wait for kibi's review+ack?
> In terms of whether the update should be pushed via stable-updates, it
> looks like we'll be freezing for the next point release in a week's
> time, so it may not be worth the extra work at this point.
understood, and that's fine with me.
> Are you planning on handling the enigmail upload as well? I can't see
> an open p-u bug for it so, given the timings, would suggest that start
> getting progressed ASAP so that we can make sure that it makes the
> point release.
I didn't want to propose the enigmail update until i knew that this
change would go through. I'll do that today. Thanks!
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Sun, 28 Oct 2018 22:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sun, 28 Oct 2018 22:03:06 GMT) (full text, mbox, link).
On Sun, 2018-10-28 at 10:58 -0400, Daniel Kahn Gillmor wrote:
> On Sat 2018-10-27 16:47:27 +0100, Adam D. Barratt wrote:
[...]
> > I know you mentioned that the changes shouldn't affect gpgv
> > (particularly as used in d-i), but the udeb still means that the
> > upload
> > needs an explicit ack, so I've CCed KiBi and tagged the bug
> > appropriately.
>
> thank you! should i go ahead with the upload to land it in proposed,
> or should i wait for kibi's review+ack?
I don't have any objections if you want to upload already, but it won't
get accepted into p-u from stable-new until it's had the d-i ack.
Regards,
Adam
Added indication that bug 910398 blocks 912194
Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net>
to submit@bugs.debian.org.
(Mon, 29 Oct 2018 05:09:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Mon, 29 Oct 2018 05:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Mon, 29 Oct 2018 05:33:03 GMT) (full text, mbox, link).
On Sun 2018-10-28 10:58:17 -0400, Daniel Kahn Gillmor wrote:
> On Sat 2018-10-27 16:47:27 +0100, Adam D. Barratt wrote:
>> Are you planning on handling the enigmail upload as well? I can't see
>> an open p-u bug for it so, given the timings, would suggest that start
>> getting progressed ASAP so that we can make sure that it makes the
>> point release.
>
> I didn't want to propose the enigmail update until i knew that this
> change would go through. I'll do that today. Thanks!
The proposed upgrade to enigmail is #912194. thanks!
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Mon, 29 Oct 2018 05:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Mon, 29 Oct 2018 05:33:04 GMT) (full text, mbox, link).
On Sun 2018-10-28 21:58:55 +0000, Adam D. Barratt wrote:
> I don't have any objections if you want to upload already, but it won't
> get accepted into p-u from stable-new until it's had the d-i ack.
OK, it's uploaded now, in stable-new, waiting for the d-i ack.
thanks for your work on the stable release, Adam.
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Fri, 02 Nov 2018 09:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Fri, 02 Nov 2018 09:42:03 GMT) (full text, mbox, link).
Hi,
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (2018-10-29):
> On Sun 2018-10-28 21:58:55 +0000, Adam D. Barratt wrote:
> > I don't have any objections if you want to upload already, but it
> > won't get accepted into p-u from stable-new until it's had the d-i
> > ack.
>
> OK, it's uploaded now, in stable-new, waiting for the d-i ack.
>
> thanks for your work on the stable release, Adam.
Disclaimer: I didn't check anything on the code side, I've just built
the package locally and run d-i tests to check what happens with its
updated gpgv-udeb.
A d-i netboot gtk image seems to work just fine.
A d-i cdrom image, used to build a netinst image, seems to work just
fine as well. (I've taken the opportunity to test the 4.9.0-8-amd64 ABI
in the process; no obvious issues there either.)
So no objections from the d-i side.
Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#910398; Package release.debian.org.
(Fri, 02 Nov 2018 21:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam D Barratt <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Fri, 02 Nov 2018 21:57:06 GMT) (full text, mbox, link).
Subject: gnupg2 2.1.18-8~deb9u3 flagged for acceptance
Date: Fri, 02 Nov 2018 21:56:23 +0000
Control: tags -1 + pending
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian stretch.
Thanks for your contribution!
Upload details
==============
Package: gnupg2
Version: 2.1.18-8~deb9u3
Explanation: security fixes; backport functionality required for new enigmail
Added tag(s) pending.
Request was from Adam D Barratt <adam@adam-barratt.org.uk>
to 910398-submit@bugs.debian.org.
(Fri, 02 Nov 2018 21:57:06 GMT) (full text, mbox, link).
Message sent on
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#910398.
(Fri, 02 Nov 2018 21:57:11 GMT) (full text, mbox, link).
Reply sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility.
(Sat, 10 Nov 2018 10:46:52 GMT) (full text, mbox, link).
Notification sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug acknowledged by developer.
(Sat, 10 Nov 2018 10:46:52 GMT) (full text, mbox, link).
Version: 9.6
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
Changed Bug title to 'ITS: Intent to salvage bbdb' from 'stretch-pu: package gnupg2/2.1.18-8~deb9u3'.
Request was from David Bremner <bremner@debian.org>
to control@bugs.debian.org.
(Wed, 14 Nov 2018 15:15:08 GMT) (full text, mbox, link).
Changed Bug title to 'stretch-pu: package gnupg2/2.1.18-8~deb9u3' from 'ITS: Intent to salvage bbdb'.
Request was from David Bremner <bremner@debian.org>
to control@bugs.debian.org.
(Wed, 14 Nov 2018 17:09:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 13 Dec 2018 07:28:20 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.