[pkg-gnupg-maint] Bug#841143: Bug#841143: Suspected race in gpg1 to gpg2 conversion or agent startup

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 19 13:00:07 UTC 2016 

On Wed 2016-10-19 05:47:02 -0400, Ian Jackson wrote:
> Daniel Kahn Gillmor writes ("Re: [pkg-gnupg-maint] Bug#841143: Suspected race in gpg1 to gpg2	conversion or agent startup"):
>> If you have a test suite that intends to use secret key material, and
>> you want it to work across different versions of GnuPG, your test suite
>> should not ship what it thinks is a GNUPGHOME.  GnuPG doesn't guarantee
>> that one version will necessarily work with the other's.
>
> If gnupg doesn't guarantee that v1's will work with v2 then you don't
> have an upgrade path for your users.

We do have an upgrade path currently from v1.4.x to v2.0.x and v2.1.x.
However, i don't know whether GnuPG upstream is willing to guarantee
that v1 will work with v2.4.x.  If you want things to be arbitrarily
portable, you should use the portable data formats.

Similarly, if you wanted to use a mysql or postgresql database in your
test suite, you should ship the pre-populated database as a textual sql
file.

> I'll take your answer as a declaration that downgrading is not
> supported.  Unfortunately I think this means you have a bug.
>
> For example, consider schroots, which typically contain /home.

an schroot will also work when upgraded across single debian versions.
I'm afraid you're simply not going to get the fastest possible
conversion if you do incur an upgrade during your test suite's
migration.  sorry!

> Also there are institutions where all the home directories are on NFS.
> Obviously one wouldn't recommend putting GNUPGHOME on NFS, but there
> might be reasons why it's OK in context.
>
> In both of these situations the same ~ may be operated on by programs
> from different Debian releases (or non-Debian operating systems) in
> any arbitrary interleaved order.

I believe upstream is aware of this, which is why they've declared (for
example) that gpg 2.0 and gpg 2.1 are not "co-installable".

Upstream is supporting an upgrade path, but it's true that after
converting a homedir to 2.1, 1.4 cannot see the same key material any
more.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20161019/9439edc0/attachment.sig>

More information about the pkg-gnupg-maint mailing list