Bug#1100454: libmodule-signature-perl: Infinite loop with gpg-sq

[Guillem Jover]

Package: libmodule-signature-perl
Version: 0.89-1
Severity: serious
Forwarded: https://github.com/audreyt/module-signature/pull/40
Tags: patch

Hi!

As part of the release process for dpkg, there's a CPAN distribution
generated from the source tree to be uploaded, and to sign it, this
module is being used.

When doing so as part of one of the last releases, the release script
got stuck during the CPAN signing. While debugging I tracked it down
to gpg-sq emitting unexpected output on stdout (reported upstream as
<https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/128>),
which then made the Module::Signature module get into an infinite
loop. I don't think that should really happen (even if gpg-sq is
not mimicking the gpg-g10code behavior here).

I've created a patch for that, which fixes the problematic code, and
submitted upstream, but that has not been merged yet. If there is
concern about its aptness, then a more minimal fix would be to simply
change both «while» keywords into «foreach» (which is what I did
initially on my system to be able to proceed with the release). I can
provide that instead if that would be the preference (this would also
avoid the spurious warning from Module::Signature about not finding the
key in any public keyserver due to gpg-sq not implementing the gpg
--search-keys option and also the warning about that option not being
implemented, see also
<https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/129>),
which would not seem like a huge loss, given that this code has been
pretty much inert all this time anyway.

Thanks,
Guillem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-gpg-output-parsing.patch
Type: text/x-diff
Size: 2469 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250314/c73fbf9a/attachment.patch>