Opened 8 years ago

Closed 7 years ago

#5850 closed enhancement (fixed)

gnupg-2.1.3

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: normal Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Fernando de Oliveira)

ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.3.tar.bz2

ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.3.tar.bz2.sig

It is recommended by the developers that befor you backup the directory

~/.gnupg

before upgrading the system to gnupg-2.1.

Change History (21)

comment:1 by Fernando de Oliveira, 8 years ago

Summary: gnupg-2.1.0gnupg-2.1.0 (placeholder)

comment:2 by Armin K, 8 years ago

It's stable alright, but not fully compatible with gpg-2.0/1.4. Some apps and book instructions need to be ported to use it.

comment:3 by Fernando de Oliveira, 8 years ago

Main page:

https://www.gnupg.org/

GnuPG comes in two flavours: 1.4.18 is the well known and portable standalone
version, whereas 2.0.26 is the enhanced and modern version and suggested for
most users.

Download page:

https://www.gnupg.org/download/index.html

Name 	Version 	Size 	Tarball 	Signature
GnuPG stable 	2.0.26 	4203k 	download 	download
GnuPG modern 	2.1.0 	3039k 	download 	download
GnuPG classic 	1.4.18 	3564k 	download 	download

comment:4 by Armin K, 8 years ago

I don't think it says "not stable", but way too new, aka "modern", which is more or less the same what I said. The reason 2.0.26 is recommended is that it's fully compatible with 1.4 series and can be used as drop in replacement for it, whereas 2.1 can't and apps need to be modified to use it.

comment:5 by Fernando de Oliveira, 8 years ago

Description: modified (diff)

OK. Is the change made al right? I need to write something there to explain why we are not updating it.

comment:6 by Fernando de Oliveira, 8 years ago

Description: modified (diff)

comment:7 by bdubbs@…, 8 years ago

Is there a use case for gnupg-2.1.0 in BLFS now?

comment:8 by Fernando de Oliveira, 8 years ago

LOL. I don't understand very well the question, sorry.

If you are asking me if there is any package the needs it, no that I am aware of.

I opened the ticket just to because it appears everyday in the "BLFS Package Currency Check" post, without a corresponding ticket.

I did the same for other packages, even reopening FF, just for that sake.

I don't mind if you close them, though, it would be new info and learning for me.

comment:9 by Fernando de Oliveira, 8 years ago

The "LOL" was because I was ashamed for not understanding very well the question.

Last edited 8 years ago by Fernando de Oliveira (previous) (diff)

comment:10 by bdubbs@…, 8 years ago

I was asking if there is a need to include both gnupg-2.1 and gnupg-2.0 in the book, that's all. Personally if they are not compatible, I'd think the new version should be gnupg-3.0.

comment:11 by Fernando de Oliveira, 8 years ago

OK. Agree. Thanks, and sorry for not understanding the first comment.

comment:12 by Fernando de Oliveira, 8 years ago

Armin, please, have you done new tests with this, to see if it is possible to make the upgrade?

comment:13 by Armin K, 8 years ago

No, not yet. Last time I tried it broke my Thunderbird e-mail signing with Engimail addon and I don't intend to upgrade until that's fixed - be it on engimail's or gnupg's side.

comment:14 by Fernando de Oliveira, 8 years ago

Description: modified (diff)
Summary: gnupg-2.1.0 (placeholder)gnupg-2.1.1 (placeholder)

comment:15 by Fernando de Oliveira, 7 years ago

I realized that this version is now released by ArchLinux, and yesterday, spent part of the morning and afternoon investigating.

My conclusion is that it does not replace the version in the book, or it is broken as a replacement, confirming what Armin found: failed to authenticate krb5-1.13. Didn't install, so cannot confirm that enigmail-1.7 build is broken with it. Could try to install in another prefix, but don't think it is worth.

I would recommend to modify from hold to future.

Details of what I found

They even state that:

This release introduces a lot of changes.  Most of them are internal
 and thus not user visible.  However, some long standing behavior has
 slightly changed and it is strongly suggested that an existing
 "~/.gnupg" directory is backed up before this version is used.

This comment is not at all accurate. The truth is: some long standing behavior has completely changed.

Changes that makes it difficult using as a replacement:

* gpg: All support for v3 (PGP 2) keys has been dropped.  All
   signatures are now created as v4 signatures.  v3 keys will be
   removed from the keyring.

* gpg: Removed the option --pgp2 and --rfc1991 and the ability to
   create PGP-2 compatible messages.

* gpg: Reject signatures made using the MD5 hash algorithm unless the
   new option --allow-weak-digest-algos or --pgp2 are given.

This is the main point, responsible for the problem with krb5 key.

Notice that they explicitly removed the option --pgp2, after including -allow-weak-digest-algos, but only the former is cited as being removed. Actually, both have been removed. This option was what made it possible to authenticate krb5. Worse: v3 keys will be removed from the keyring.

I have not found a way of converting old databases to the new version, do not know if it is possible, so, it seems that many keys are now useless for this version.

Another point: there is a switch to get the new gpg2 executable being named simply gpg, which is still worse indication of problems and that developers intended these problems to be introduced.

There is a new requirement: "nPth - The new GNU portable threads library".

ftp://ftp.gnupg.org/gcrypt/npth/npth-1.1.tar.bz2

Programs added and deleted (there are many new switches, so some of them probably could be included/deleted - I know about some):

new programs:
dirmngr
dirmngr_ldap
dirmngr-client
g13
gpgtar

deleted programs (perhaps could have been buit with proper switches)
gnupg-pcsc-wrapper
gpg2keys_curl
gpg2keys_finger
gpg2keys_hkp
gpg2keys_ldap

Although apparently with different motivation, developers behavior seem to have some parallel with the one from systemd developers.

Although in their site

https://www.gnupg.org/

they write:

 GnuPG comes in three flavours:

    2.0.26 is the stable version suggested for most users,
    2.1.1 is the brand-new modern version with support for ECC
    and many other new features,
    and 1.4.18 is the classic portable version.

in the ftp README fiele, we still have:

GnuPG 1.4.x is the portable standalone version of GnuPG 
GnuPG 2.0.x is a modernized version of GnuPG including support
            for S/MIME and Secure Shell

Summary: probably shoud be modified from hold to future.

comment:16 by bdubbs@…, 7 years ago

Milestone: holdfuture

I agree with you about moving to future.

Actually, I don't have a problem with the changes they made, but I do have a problem with the version number. The changes are significant enough to be 3.x.

in reply to:  16 comment:17 by Fernando de Oliveira, 7 years ago

Replying to bdubbs@…:

Thanks for the reply and the modification of the ticket.

Actually, I don't have a problem with the changes they made, but I do have a problem with the version number. The changes are significant enough to be 3.x.

You're right. What they are trying to do is increase security. Problem is how long it will take for users to make the transition, e.g. updating their keys.

comment:18 by bdubbs@…, 7 years ago

Description: modified (diff)
Summary: gnupg-2.1.1 (placeholder)gnu privacy guard 2.1 (placeholder)

comment:19 by Fernando de Oliveira, 7 years ago

Description: modified (diff)

comment:20 by Fernando de Oliveira, 7 years ago

Description: modified (diff)
Milestone: future7.8
Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned
Summary: gnu privacy guard 2.1 (placeholder)gnupg-2.1.3

Following discussion in -dev, I'm updating the book to this one.

Tested: seahorse gcr gnome-keyring gpgme ImageMagick mercurial xfce4-session

Built, not installed: qca mutt

Problem left: MIT Kerberos cannot be authenticated, because the key is in unsupported pgp2 format.

It is recommended by the developers that befor you backup the directory

~/.gnupg

before upgrading the system to gnupg-2.1.

Two URLs that might help if you have any trouble:

https://wiki.archlinux.org/index.php/GnuPG#Troubleshooting

http://jo-ke.name/wp/?p=111

The latter is cited by the former.

comment:21 by Fernando de Oliveira, 7 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r15891.

Note: See TracTickets for help on using tickets.