[pkg-gnupg-maint] Bug#1022702: gnupg: Migrating packaging from 2.2.x to "stable" 2.4.x

Alexandru Chirita alexandru.chirita4192 at gmail.com
Sun Jul 30 15:04:24 BST 2023 

Package: gpg
Version: 2.2.40-1.1
Followup-For: Bug #1022702
X-Debbugs-Cc: alexandru.chirita4192 at gmail.com

Dear Maintainer,

gpg version 2.2.40-1.1 doesn't include TPM 2.0 support and I believe it
should be included in Debian.

In my opinion Debian should support TPM 2.0 more, including at least a gpg
version that has TPM 2.0 support (starting from version 2.3 gpg has TPM
support with commands like `keytotpm` allowing users to secure their PGP
private keys in the TPM that should ensure some level of security).

Other operating systems cannot even be installed without the TPM 2.0
hardware (like Windows 11), while Debian is not taking advantage of all the
TPM 2.0 features by providing gpg with a version including TPM 2.0 support,
at least for the unstable debian version (sid).

gpg package supports TPM 2.0 commands starting from version 2.3:
https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html

Package gpg versions are below gpg 2.3 even for unstable version (sid):
sid (unstable) <https://packages.debian.org/sid/gpg> (utils): GNU Privacy
Guard -- minimalist public key operations
2.2.40-1.1: alpha amd64 arm64 armel armhf hppa i386 ia64 m68k mips64el
mipsel ppc64 ppc64el riscv64 s390x sh4 sparc64 x32

I would expect supporting a newer version because gpg version 2.2
is approaching end of life on 2024-12-31 and version 2.3 started on
2021-04-07 and was incremented to 2.4 but it should be stable.

I understand that upgrading GnuPG to newer version 2.4.x might require
upgrading
other libraries but I consider it worth it.


Thank you for your understanding,
Alexandru Chirita


-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg depends on:
ii  gpgconf        2.2.40-1.1
ii  libassuan0     2.5.5-5
ii  libbz2-1.0     1.0.8-5+b1
ii  libc6          2.36-9+deb12u1
ii  libgcrypt20    1.10.1-3
ii  libgpg-error0  1.46-1
ii  libreadline8   8.2-1.3
ii  libsqlite3-0   3.40.1-2
ii  zlib1g         1:1.2.13.dfsg-1

Versions of packages gpg recommends:
ii  gnupg  2.2.40-1.1

gpg suggests no packages.

-- no debconf information

More information about the pkg-gnupg-maint mailing list