Opened 9 years ago
Closed 9 years ago
#5850 closed enhancement (fixed)
gnupg-2.1.3
Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
---|---|---|---|
Priority: | normal | Milestone: | 7.8 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description (last modified by )
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.3.tar.bz2
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.3.tar.bz2.sig
It is recommended by the developers that befor you backup the directory
~/.gnupg
before upgrading the system to gnupg-2.1.
Change History (21)
comment:1 by , 9 years ago
Summary: | gnupg-2.1.0 → gnupg-2.1.0 (placeholder) |
---|
comment:2 by , 9 years ago
comment:3 by , 9 years ago
Main page:
GnuPG comes in two flavours: 1.4.18 is the well known and portable standalone version, whereas 2.0.26 is the enhanced and modern version and suggested for most users.
Download page:
https://www.gnupg.org/download/index.html
Name Version Size Tarball Signature GnuPG stable 2.0.26 4203k download download GnuPG modern 2.1.0 3039k download download GnuPG classic 1.4.18 3564k download download
comment:4 by , 9 years ago
I don't think it says "not stable", but way too new, aka "modern", which is more or less the same what I said. The reason 2.0.26 is recommended is that it's fully compatible with 1.4 series and can be used as drop in replacement for it, whereas 2.1 can't and apps need to be modified to use it.
comment:5 by , 9 years ago
Description: | modified (diff) |
---|
OK. Is the change made al right? I need to write something there to explain why we are not updating it.
comment:6 by , 9 years ago
Description: | modified (diff) |
---|
comment:8 by , 9 years ago
LOL. I don't understand very well the question, sorry.
If you are asking me if there is any package the needs it, no that I am aware of.
I opened the ticket just to because it appears everyday in the "BLFS Package Currency Check" post, without a corresponding ticket.
I did the same for other packages, even reopening FF, just for that sake.
I don't mind if you close them, though, it would be new info and learning for me.
comment:9 by , 9 years ago
The "LOL" was because I was ashamed for not understing very well the question.
comment:10 by , 9 years ago
I was asking if there is a need to include both gnupg-2.1 and gnupg-2.0 in the book, that's all. Personally if they are not compatible, I'd think the new version should be gnupg-3.0.
comment:12 by , 9 years ago
Armin, please, have you done new tests with this, to see if it is possible to make the upgrade?
comment:13 by , 9 years ago
No, not yet. Last time I tried it broke my Thunderbird e-mail signing with Engimail addon and I don't intend to upgrade until that's fixed - be it on engimail's or gnupg's side.
comment:14 by , 9 years ago
Description: | modified (diff) |
---|---|
Summary: | gnupg-2.1.0 (placeholder) → gnupg-2.1.1 (placeholder) |
comment:15 by , 9 years ago
I realized that this version is now released by ArchLinux, and yesterday, spent part of the morning and afternoon investigating.
My conclusion is that it does not replace the version in the book, or it is broken as a replacement, confirming what Armin found: failed to authenticate krb5-1.13. Didn't install, so cannot confirm that enigmail-1.7 build is broken with it. Could try to install in another prefix, but don't think it is worth.
I would recommend to modify from hold to future.
Details of what I found
They even state that:
This release introduces a lot of changes. Most of them are internal and thus not user visible. However, some long standing behavior has slightly changed and it is strongly suggested that an existing "~/.gnupg" directory is backed up before this version is used.
This comment is not at all accurate. The truth is: some long standing behavior has completely changed.
Changes that makes it difficult using as a replacement:
* gpg: All support for v3 (PGP 2) keys has been dropped. All signatures are now created as v4 signatures. v3 keys will be removed from the keyring. * gpg: Removed the option --pgp2 and --rfc1991 and the ability to create PGP-2 compatible messages. * gpg: Reject signatures made using the MD5 hash algorithm unless the new option --allow-weak-digest-algos or --pgp2 are given.
This is the main point, responsible for the problem with krb5 key.
Notice that they explicitly removed the option --pgp2, after including -allow-weak-digest-algos, but only the former is cited as being removed. Actually, both have been removed. This option was what made it possible to authenticate krb5. Worse: v3 keys will be removed from the keyring.
I have not found a way of converting old databases to the new version, do not know if it is possible, so, it seems that many keys are now useless for this version.
Another point: there is a switch to get the new gpg2 executable being named simply gpg, which is still worse indication of problems and that developers intended these problems to be introduced.
There is a new requirement: "nPth - The new GNU portable threads library".
ftp://ftp.gnupg.org/gcrypt/npth/npth-1.1.tar.bz2
Programs added and deleted (there are many new switches, so some of them probably could be included/deleted - I know about some):
new programs: dirmngr dirmngr_ldap dirmngr-client g13 gpgtar deleted programs (perhaps could have been buit with proper switches) gnupg-pcsc-wrapper gpg2keys_curl gpg2keys_finger gpg2keys_hkp gpg2keys_ldap
Although apparently with different motivation, developers behavior seem to have some parallel with the one from systemd developers.
Although in their site
they write:
GnuPG comes in three flavours: 2.0.26 is the stable version suggested for most users, 2.1.1 is the brand-new modern version with support for ECC and many other new features, and 1.4.18 is the classic portable version.
in the ftp README fiele, we still have:
GnuPG 1.4.x is the portable standalone version of GnuPG GnuPG 2.0.x is a modernized version of GnuPG including support for S/MIME and Secure Shell
Summary: probably shoud be modified from hold to future.
follow-up: 17 comment:16 by , 9 years ago
Milestone: | hold → future |
---|
I agree with you about moving to future.
Actually, I don't have a problem with the changes they made, but I do have a problem with the version number. The changes are significant enough to be 3.x.
comment:17 by , 9 years ago
Replying to bdubbs@…:
Thanks for the reply and the modification of the ticket.
Actually, I don't have a problem with the changes they made, but I do have a problem with the version number. The changes are significant enough to be 3.x.
You're right. What they are trying to do is increase security. Problem is how long it will take for users to make the transition, e.g. updating their keys.
comment:18 by , 9 years ago
Description: | modified (diff) |
---|---|
Summary: | gnupg-2.1.1 (placeholder) → gnu privacy guard 2.1 (placeholder) |
comment:19 by , 9 years ago
Description: | modified (diff) |
---|
comment:20 by , 9 years ago
Description: | modified (diff) |
---|---|
Milestone: | future → 7.8 |
Owner: | changed from | to
Status: | new → assigned |
Summary: | gnu privacy guard 2.1 (placeholder) → gnupg-2.1.3 |
Following discussion in -dev, I'm updating the book to this one.
Tested: seahorse gcr gnome-keyring gpgme ImageMagick mercurial xfce4-session
Built, not installed: qca mutt
Problem left: MIT Kerberos cannot be authenticated, because the key is in unsupported pgp2 format.
It is recommended by the developers that befor you backup the directory
~/.gnupg
before upgrading the system to gnupg-2.1.
Two URLs that might help if you have any trouble:
https://wiki.archlinux.org/index.php/GnuPG#Troubleshooting
The latter is cited by the former.
It's stable alright, but not fully compatible with gpg-2.0/1.4. Some apps and book instructions need to be ported to use it.