[Pkg-rust-maintainers] Bug#1103016: incompatibility with gpg causing FTBFS
Daniel Kahn Gillmor
dkg at debian.org
Mon Apr 14 14:53:23 BST 2025
On Mon 2025-04-14 13:43:20 +0200, Justus Winter wrote:
> René Engelhard <rene at rene-engelhard.de> writes:
>
>> If you divert /usr/bin/gpg, IMHO you need to behave like gpg.
>
> gpg doesn't behave like gpg. Just look at all the version-specific
> hacks in GPGME if you don't take my word for it. Any code relying on a
> specific behavior of gpg is broken.
GnuPG maintainer here. i have to say i'm sympathetic to Justus's
position, though i would have put it slightly differently.
There is no one single "gpg behavior", even among all currently
supported GnuPG releases. It gets even hairier if you go back in time
and look at the range of historical behaviors, even of all versions in
Debian stable releases.
Doing downstream maintenance of GnuPG means dealing with constant flux
and strange quirks, some of which upstream takes seriously when they're
discovered and some of which appear to just be the standard operating
procedure, with no explanation forthcoming.
the Sequoia Chameleon ("gpg-sq") has so far been fairly stable, and its
divergences from GnuPG are explicitly documented with what seem like
reasonable motivations to me:
https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg#known-deliberate-divergences
The fact that it uncovered weak digest algorithms used in a relatively
recently created test suite does not seem like a bug in gpg-sq; rather,
it looks like part of a long overdue hardening of the ecosystem.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20250414/ced3b405/attachment.sig>
More information about the Pkg-rust-maintainers
mailing list