Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
New Bug report received and forwarded. Copy sent to dkg@fifthhorseman.net, Debian Release Team <debian-release@lists.debian.org>.
(Sun, 21 Jul 2019 19:57:05 GMT) (full text, mbox, link).
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Control: affects -1 src:gnupg2
The version of GnuPG in debian buster (2.2.12-1) has a number of
outstanding bugs related to OpenPGP certificate management and network
access. Many of these concerns are addressed in some of the patches
in upstream's STABLE-BRANCH-2-2 series.
The debdiff (attached) is basically a slew of bugfix, documentation,
stability, and efficiency patches cherry-picked from upstream, plus
some additional changes to reduce the exposure of debian users to
malicious attack on the SKS keyserver network, and some improvements
in the continuous integration test suite.
These additional changes address concerns due to the fact that the SKS
keyserver network is failing due to abuse, and GnuPG had used it as a
default keyserver. These changes offer ways to work around the
problems our users face when fetching data off the network today. In
particular:
* We adopt GnuPG's upstream approach of making keyserver access
default to self-sigs-only. This means that the keyserver cannot
flood the user's keyring by default. (we do *not* adopt upstream's
choice of import-clean for keyserver default, see
https://dev.gnupg.org/T4628 for more explanation)
* We constrain the SKS CA to only validate
hkps.pool.sks-keyservers.net (and we avoid using the system CAs for
the SKS pool), thereby tightening the confidentiality constraints
on TLS-wrapped keyserver access.
* Since the SKS pool's distribution of third-party certifications
will be ignored by default, we change the default keyserver to
hkps://keys.openpgp.org, which won't waste the user's bandwidth for
data that they won't even consider by default. keys.openpgp.org is
significantly more performant for read-only clients (most keyserver
access) than any member of the SKS pool.
* We also allow GnuPG to merge certificate updates (revocations,
subkey rotations) which might be published on keys.openpgp.org
without any user ID (see https://dev.gnupg.org/T4393 for more
discussion). This represents a security improvement for users who
might otherwise use a locally-cached certificate that should have
been revoked, or who cannot encrypt to a locally-cached certificate
because they don't know about its new encryption-capable subkey.
* migrate-pubring-from-classic-gpg fails when the user's keyring
contains a flooded certificate -- we address this (#931385), and
adds a test for it.
-------
A note about "web of trust" and the third-party certifications it
depends on:
Third-party certifications are still importable by default over WKD
and DANE/OPENPGPKEY access. It is generally recommended to use those
mechanisms where providers offer them, using --locate-key by e-mail
address instead of --search.
A user who wants to import arbitrary third-party certifications via
HKP or HKPS can still do so by identifying their trusted keyserver
source and indicating that third-party certifications are OK. for
example:
--keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options no-self-sigs-only
-------
Finally, we add an additional simple test for ci.debian.org, and we
adjust the gpgv-win32 ci test so that it will only run on i386 testers
(#905563). continuous integration for the win! :)
The changelog entry provides this summary:
gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
* drop unneeded patch for printing revocation certificates
* backport bugfix and stability patches from upstream 2.2.13
* backport bugfix and stability patches from upstream 2.2.14
* backport documentation, stability, ssh, and WKD patches from upstream 2.2.15
* backport documentation and bugfix patches from upstream 2.2.16
* import bugfixes and cleanup around secret key handling from 2.2.14
* backport bugfixes, documentation, WKD, and keyserver fixes from 2.2.17
* import efficiency and security fixes from upstream STABLE-BRANCH-2-2
* avoid using SKS pool CA unless the keyserver is hkps.pool.sks-keyservers.net
* drop import-clean from default keyserver options, to avoid data loss
* use keys.openpgp.org as the default keyserver
* enable merging certificate updates even if update has no user ID
* update Vcs-Git: to point to debian/buster branch
* Adopt migrate-pubring-from-classic-gpg robustness fixes (Closes: #931385)
* add new CI test: debian/tests/simple-tests
* debian/tests/gpgv-win32: make arch-specific (Closes: #905563)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 21 Jul 2019 15:39:05 -0400
I recognize that this is a lot of changes, but upstream's 2.2 branch
is intended to be stable. (most of the GnuPG development work is
happening on the 2.3 branch, and most of the work on 2.2 is just
backports of bugfixes) These changes are also visible on the
debian/buster branch on https://salsa.debian.org/debian/gnupg2.
So another option, if the release-team prefers, would be to move GnuPG
on buster to 2.2.17, with some of the additional changes mentioned
above -- that would involve more upstream changes that are not
currently included in this series, but it would also mean that our
versions are less divergent from what upstream believes the shipped
version of gnupg is. Please let me know if you'd prefer that i take
that approach instead of these patch queues.
Fwiw, i don't think that GnuPG upstream is as stable as i would
personally like it to be, but the set of changes i've included here
attempt to minimize the amount of negative disruption that a user
might experience from the upgrade, while still ensuring that the user
can deal with the current reality of how OpenPGP certificates are
distributed on the public Internet.
Regards,
--dkg
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Added indication that 932684 affects src:gnupg2
Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net>
to submit@bugs.debian.org.
(Sun, 21 Jul 2019 19:57:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#932684; Package release.debian.org.
(Sun, 28 Jul 2019 15:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sun, 28 Jul 2019 15:00:05 GMT) (full text, mbox, link).
On Sun 2019-07-21 15:55:28 -0400, Daniel Kahn Gillmor wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> Control: affects -1 src:gnupg2
>
> The version of GnuPG in debian buster (2.2.12-1) has a number of
> outstanding bugs related to OpenPGP certificate management and network
> access. Many of these concerns are addressed in some of the patches
> in upstream's STABLE-BRANCH-2-2 series.
>
> The debdiff (attached) is basically a slew of bugfix, documentation,
> stability, and efficiency patches cherry-picked from upstream, plus
> some additional changes to reduce the exposure of debian users to
> malicious attack on the SKS keyserver network, and some improvements
> in the continuous integration test suite.
ping on this? i'd appreciate any feedback about its prospects for
fixing problems for users of debian buster.
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#932684; Package release.debian.org.
(Wed, 21 Aug 2019 17:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Wed, 21 Aug 2019 17:21:07 GMT) (full text, mbox, link).
Control: tags -1 + moreinfo
On Sun, 2019-07-21 at 15:55 -0400, Daniel Kahn Gillmor wrote:
> The version of GnuPG in debian buster (2.2.12-1) has a number of
> outstanding bugs related to OpenPGP certificate management and
> network access. Many of these concerns are addressed in some of the
> patches in upstream's STABLE-BRANCH-2-2 series.
>
> The debdiff (attached) is basically a slew of bugfix, documentation,
> stability, and efficiency patches cherry-picked from upstream, plus
> some additional changes to reduce the exposure of debian users to
> malicious attack on the SKS keyserver network, and some improvements
> in the continuous integration test suite.
Apologies for the delay in getting back to you regarding this.
On the whole, I'm happy to trust your judgement on the necessity of the
included changes, however this change in particular is one of the
reasons for the delay, while I considered it and sought wider input:
> * We adopt GnuPG's upstream approach of making keyserver access
> default to self-sigs-only. This means that the keyserver cannot
> flood the user's keyring by default. (we do *not* adopt upstream's
> choice of import-clean for keyserver default, see
> https://dev.gnupg.org/T4628 for more explanation)
The introduction of this change in unstable (and since in testing)
apparently led to some confusion amongst, and queries from, members of
the project, so is likely to have a similar (but quite possibly larger)
effect on the wider stable user base.
If we are to include it, I think it would therefore be wise to ensure
that it is accompanied by a NEWS entry which briefly explains the
change and its implications. (Relatedly, the further through the stable
cycle we get, the more awkward this would be to introduce.)
Regards,
Adam
Added tag(s) moreinfo.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to 932684-submit@bugs.debian.org.
(Wed, 21 Aug 2019 17:21:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#932684; Package release.debian.org.
(Wed, 21 Aug 2019 19:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Wed, 21 Aug 2019 19:09:06 GMT) (full text, mbox, link).
On Wed 2019-08-21 18:19:06 +0100, Adam D. Barratt wrote:
>> * We adopt GnuPG's upstream approach of making keyserver access
>> default to self-sigs-only. This means that the keyserver cannot
>> flood the user's keyring by default. (we do *not* adopt upstream's
>> choice of import-clean for keyserver default, see
>> https://dev.gnupg.org/T4628 for more explanation)
>
> The introduction of this change in unstable (and since in testing)
> apparently led to some confusion amongst, and queries from, members of
> the project, so is likely to have a similar (but quite possibly larger)
> effect on the wider stable user base.
>
> If we are to include it, I think it would therefore be wise to ensure
> that it is accompanied by a NEWS entry which briefly explains the
> change and its implications. (Relatedly, the further through the stable
> cycle we get, the more awkward this would be to introduce.)
Thanks, that's entirely reasonable. I've put this NEWS item into the
debian/buster branch on salsa. Otherwise, the debdiff is the same.
diff --git a/debian/NEWS b/debian/NEWS
index 0a6a7440d..3005e935c 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,25 @@
+gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
+
+ In this version we adopt GnuPG's upstream approach of making keyserver
+ access default to self-sigs-only. This defends against receiving
+ flooded OpenPGP certificates. To revert to the previous behavior (not
+ recommended!), add the following directive to ~/.gnupg/gpg.conf:
+
+ keyserver-options no-self-sigs-only
+
+ We also adopt keys.openpgp.org as the default keyserver, since it avoids
+ the associated bandwidth waste of fetching third-party certifications
+ that will not be used. To revert to the older SKS keyserver network (not
+ recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
+
+ keyserver hkps://hkps.pool.sks-keyservers.net
+
+ Note: we do *not* adopt upstream's choice of import-clean for the
+ keyserver default, since it can lead to data loss, see
+ https://dev.gnupg.org/T4628 for more details.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 21 Aug 2019 14:53:47 -0400
+
Let me know if you want me to re-generate a full debdiff, or if you're
ok with this plus the previous debdiff (with an updated date on
debian/changelog to match debian/NEWS), let me know whether i should go
ahead and upload.
Thanks for your thoughtfulness and review.
Regards,
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#932684; Package release.debian.org.
(Thu, 22 Aug 2019 10:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Thu, 22 Aug 2019 10:36:05 GMT) (full text, mbox, link).
Control: tags -1 + confirmed d-i
[full quote for KiBi's benefit]
On 2019-08-21 20:05, Daniel Kahn Gillmor wrote:
> On Wed 2019-08-21 18:19:06 +0100, Adam D. Barratt wrote:
>>> * We adopt GnuPG's upstream approach of making keyserver access
>>> default to self-sigs-only. This means that the keyserver cannot
>>> flood the user's keyring by default. (we do *not* adopt upstream's
>>> choice of import-clean for keyserver default, see
>>> https://dev.gnupg.org/T4628 for more explanation)
>>
>> The introduction of this change in unstable (and since in testing)
>> apparently led to some confusion amongst, and queries from, members of
>> the project, so is likely to have a similar (but quite possibly
>> larger)
>> effect on the wider stable user base.
>>
>> If we are to include it, I think it would therefore be wise to ensure
>> that it is accompanied by a NEWS entry which briefly explains the
>> change and its implications. (Relatedly, the further through the
>> stable
>> cycle we get, the more awkward this would be to introduce.)
>
> Thanks, that's entirely reasonable. I've put this NEWS item into the
> debian/buster branch on salsa. Otherwise, the debdiff is the same.
>
>
> diff --git a/debian/NEWS b/debian/NEWS
> index 0a6a7440d..3005e935c 100644
> --- a/debian/NEWS
> +++ b/debian/NEWS
> @@ -1,3 +1,25 @@
> +gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
> +
> + In this version we adopt GnuPG's upstream approach of making
> keyserver
> + access default to self-sigs-only. This defends against receiving
> + flooded OpenPGP certificates. To revert to the previous behavior
> (not
> + recommended!), add the following directive to ~/.gnupg/gpg.conf:
> +
> + keyserver-options no-self-sigs-only
> +
> + We also adopt keys.openpgp.org as the default keyserver, since it
> avoids
> + the associated bandwidth waste of fetching third-party
> certifications
> + that will not be used. To revert to the older SKS keyserver network
> (not
> + recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
> +
> + keyserver hkps://hkps.pool.sks-keyservers.net
> +
> + Note: we do *not* adopt upstream's choice of import-clean for the
> + keyserver default, since it can lead to data loss, see
> + https://dev.gnupg.org/T4628 for more details.
> +
> + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 21 Aug 2019
> 14:53:47 -0400
> +
>
>
> Let me know if you want me to re-generate a full debdiff, or if you're
> ok with this plus the previous debdiff (with an updated date on
> debian/changelog to match debian/NEWS),
That's fine, thanks.
> let me know whether i should go
> ahead and upload.
This will need a d-i ack, so tagging + CCing.
Regards,
Adam
Added tag(s) confirmed and d-i.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to 932684-submit@bugs.debian.org.
(Thu, 22 Aug 2019 10:36:05 GMT) (full text, mbox, link).
Removed tag(s) moreinfo.
Request was from Adam D Barratt <adam@adam-barratt.org.uk>
to control@bugs.debian.org.
(Thu, 22 Aug 2019 11:21:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#932684; Package release.debian.org.
(Sat, 31 Aug 2019 11:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sat, 31 Aug 2019 11:39:03 GMT) (full text, mbox, link).
On Thu, 2019-08-22 at 11:32 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed d-i
>
> [full quote for KiBi's benefit]
>
> On 2019-08-21 20:05, Daniel Kahn Gillmor wrote:
[...]
> > let me know whether i should go
> > ahead and upload.
>
> This will need a d-i ack, so tagging + CCing.
I don't know if that will be in time, but while we wait feel free to
upload so that the package is available if the timings turn out to be
on our side.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#932684; Package release.debian.org.
(Sat, 31 Aug 2019 13:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sat, 31 Aug 2019 13:30:03 GMT) (full text, mbox, link).
On Sat 2019-08-31 12:33:51 +0100, Adam D. Barratt wrote:
> I don't know if that will be in time, but while we wait feel free to
> upload so that the package is available if the timings turn out to be
> on our side.
uploaded now, thanks.
--dkg
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#932684; Package release.debian.org.
(Sat, 31 Aug 2019 15:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sat, 31 Aug 2019 15:21:04 GMT) (full text, mbox, link).
Adam D. Barratt <adam@adam-barratt.org.uk> (2019-08-22):
> > Thanks, that's entirely reasonable. I've put this NEWS item into the
> > debian/buster branch on salsa. Otherwise, the debdiff is the same.
No obvious regressions, so no objections.
Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Removed tag(s) d-i.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to control@bugs.debian.org.
(Sat, 31 Aug 2019 16:03:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>: Bug#932684; Package release.debian.org.
(Sat, 31 Aug 2019 23:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Adam D Barratt <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sat, 31 Aug 2019 23:03:09 GMT) (full text, mbox, link).
Subject: gnupg2 2.2.12-1+deb10u1 flagged for acceptance
Date: Sat, 31 Aug 2019 23:02:45 +0000
package release.debian.org
tags 932684 = buster pending
thanks
Hi,
The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian buster.
Thanks for your contribution!
Upload details
==============
Package: gnupg2
Version: 2.2.12-1+deb10u1
Explanation:
Added tag(s) pending; removed tag(s) confirmed.
Request was from Adam D Barratt <adam@adam-barratt.org.uk>
to control@bugs.debian.org.
(Sat, 31 Aug 2019 23:03:15 GMT) (full text, mbox, link).
Message sent on
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#932684.
(Sat, 31 Aug 2019 23:03:17 GMT) (full text, mbox, link).
Reply sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility.
(Sat, 07 Sep 2019 13:45:53 GMT) (full text, mbox, link).
Notification sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug acknowledged by developer.
(Sat, 07 Sep 2019 13:45:53 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.