[pkg-gnupg-maint] Bug#822974: backport for jessie

Fri Apr 29 16:29:42 UTC 2016

On 29/04/16 16:36, Robert Lange wrote:
> I have made such a backport in my personal Jessie backports repo. I
> used the source packages from testing (and maybe unstable, if a
> package was not in testing, but I think all relevant packages are in
> testing now). The process was complicated b/c I needed to backport
> dpkg and debhelpers and a bunch of others in order to satisfy the
> dependency chain and build dependency chain. However, after compiling
> around 10ish source packages, everything worked. I've been tracking
> and keeping up w/ changes, and so far I have not had any problems,
> with the following caveats.
>
> One major issue with an official backport is that GnuPG 2.1 breaks
> backward compatibility with the key format of previous versions. This
> is not a problem if you can use gpg2 for everything, but if you still
> need gpg1 for some things, then you will have to manually keep 2
> copies of your keychain in sync; the old 1.x format and the 2.1
> format. Every time you import or sign a new key, you will have to
> remember to do the operation with both gpg and gpg2. For me, I have
> been able to live with 2.1 only, but others may not be able to.
>
> This is made somewhat more complicated by the fact that many Debian
> admin and build scripts currently still default to invoke gpg instead
> of gpg2. I had to set some environment variables to get some scripts
> to use gpg2, and I think I had to set up a diversion for some other
> scripts that are currently hard-coded to use gpg instead of gpg2. (I
> am not at home currently, so I can't be more exact.) There were some
> warnings about gpg2 having possibly incompatible command line
> arguments and maybe some scripts breaking as a result of this, but so
> far I have not noticed any problems from this.
>
> Anyway, upgrading my personal machines to GnuPG 2.1 was interesting
> and rewarding, but given the above, I would say that doing this in the
> official backports repo would cause a lot of problems, especially with
> that special breed of user who upgrades first and reads the notes later.

Thanks for this feedback

My reason for this is the PGP Clean Room Live CD:

https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment

and users of the CD would not necessarily be impacted by the dependency
issues or the backwards compatibility issues.

However, I agree that regular users of backports could be surprised by
these compatibility issues.  I wonder if we need a
jessie-backports-experimental for things that could be troublesome like
this.

Regards,

Daniel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160429/a7f37159/attachment.html>