[pkg-php-pear] Bug#1099043: php-crypt-gpg: Crypt_GPG test suite is wrong for Cleartext Signature Framework (CSF) messages
Andreas Metzler
ametzler at bebt.de
Thu Mar 13 17:45:54 GMT 2025
On 2025-03-12 Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On Wed 2025-03-12 18:13:49 +0100, Andreas Metzler wrote:
[...]
>> php-crypt-gpg 1.6.9-3 can be built against gnupg 2.2.46-1 but fails
>> against gnupg 2.2.46-3 and later. And vice versa the patched testsuite
>> of php-crypt-gpg 1.6.9-4 only works with gnupg 2.2.46-3 (or similarily
>> patched versions of 2.4).
> yes, i think that's correct. If you'd prefer, i can offer a patch to
> php-crypt-gpg's test suite that accepts whether there's a trailing
> newline or not. That kind of flexible patch could be upstreamable, and
> would work with a patched or non-patched GnuPG.
Hello Daniel,
having this properly fixed upstream would be great or even a must. (I
suspect sequoia chameleon would trigger the same or a similar error as
gnupg-patched does.) I also think it is important to not start precedent
in having Debian packages patched to work with (only) "our gnupg".
>> So this cannot be applied upstream. Afaiui this is nowadays niche,
>> non-recommended usage of gnupg so I wonder whether the cost/benefit
>> ratio for applying this patch to our gnupg packages (or including it
>> in FreePG) is good enough.
> if we want GnuPG to interoperate with standard-following OpenPGP tools,
> then we need GnuPG to sign the material that is actually passed in, and
> emit the material that is actually signed. While i agree that the CSF
> is deprecated, it is still widely used (e.g. debian's InRelease uses
> it), and any interoperability test that tries to round-trip data through
> two different implementations will flag this as a problem.
> I see the goal of my debian GnuPG work as being that we should provide a
> tool to debian users that will interoperate with any OpenPGP
> implementation as best as we can.
[...]
I suspect keeping/putting gnupg in-line with OpenPGP is not going to
simple, we (well, you ;-) ) will need to choose our battles,
concentrating on the most important use-cases or the ones with hard
breakage. Also imho every deviation from upstream gnupg behavior has a
cost of its own, especially possibly breaking compatibility with
unpatched gnupg. That is where my talk about "cost/benefit ratio" came
from. I am just not sure whether the patch is worth the pain.
I hope that helps you in making a good decision. (*Either* way, keeping
or removing the patch.)
thanks, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the pkg-php-pear
mailing list