[pkg-gnupg-maint] stretch-pu: package gnupg2/2.1.18-8~deb9u3

Jonas Meurer jonas at freesources.org
Mon Oct 15 21:29:16 BST 2018 

Hello,

again, thanks a lot to dkg for your hard work to bring Enigmail 2.0 to
Stretch! Once again it's amazing to follow your work and see how
thorough you are :)

On Sun, 14 Oct 2018 18:58:33 -0400 Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> Hi release team, security team:
> 
> over in #910398, i wrote:
> 
> On Fri 2018-10-05 17:48:10 -0500, Daniel Kahn Gillmor wrote:
> > I'd like to update the version of GnuPG in debian stable with a series
> > of targeted bugfixes (most of which are backported from upstream).
> >
> > There are four complementary reasons, which i explain in more detail
> > below:
> >
> >  * ptrace hardening for scdaemon
> >  * bugfixes that target some common workflows
> >  * updating cryptographic defaults
> >  * fixing enigmail in stretch
> >
> > All of the patches that implement these changes have been in buster
> > for many months (either as upstream improvements or debian-specific
> > improvements).
> 
> I'd appreciate some followup on this from the debian teams -- am i
> barking up the wrong tree?  should i take a different approach?  or do i
> (and the stretch users of enigmail) just need to wait a little while
> longer for review?
> 
> Many thanks for your work in keeping debian stable safe, healthy, and
> useful.

Due to the intrusive changes I can imagine that the responsible teams
need some time for the decision. Still it would be great if you could
send a short note on whether you discuss this internally and whether you
consider it a valid approach at all. That would help a lot with waiting.

As dkg already explained, right now, everybody who uses Enigmail on
Stretch is stuck with vulnerable Thunderbird 52 packages. Which,
unfortunately, means a *lot* of users. Thus I consider any necessary
steps (or prerequisites) to get Enigmail 2.0 into Stretch pretty urgent.

> PS thanks to Georg for his testing of these changes, as noted in
> #910398!

Ack, thanks Georg!

Cheers
 jonas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20181015/d3a593bf/attachment.sig>

More information about the pkg-gnupg-maint mailing list