Your message dated Mon, 30 Jun 2014 14:11:25 +0200
with message-id <[email protected]>
and subject line Re: Bug#749335: Oldstable GnuPG no longer capable of using
large keys
has caused the Debian Bug report #749335,
regarding Oldstable GnuPG no longer capable of using large keys
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
749335: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749335
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package: gnupg
Version: 1.4.10-4+squeeze4
X-Debbugs-CC: [email protected]
First-time bug reporter here, so my apologies in advance if I've left
something out or committed any faux pas.
I use TAILS to help safeguard my master GPG keypairs, of which I have
two. The first (for general use) is a 4096-bit key. The second (for
long-term identity) is a 16384-bit key.
Up to and including TAILS 0.22, I was able to use both keys with stock
GnuPG. From TAILS 0.22.1 onwards, I can only use the smaller key.
Attempting to sign other keys with the larger key causes GnuPG to
immediately die with an "out of secure memory" message, as also
reported in bug #739424. (Though that bug is filed against a different
version.)
I have verified that the old versions of GnuPG in TAILS 0.22 continue
to work correctly. I copied the GnuPG executable out of TAILS 0.22 and
into TAILS 1.0, and ran both executables against the larger key. The
version shipped with 1.0 dies as described, but the imported version
from 0.22 works correctly.
The changelog from TAILS 0.22 to 0.22.1 includes the update to GnuPG
described in DSA-2821-1, but nothing more. Since both versions of
GnuPG report themselves as 1.4.10, I am assuming that TAILS is
tracking Debian oldstable, and I have therefore filed this bug against
that version.
-Lance
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBCgAGBQJTg0jnAAoJEECmBqfoBgXnxlAP/2GvKizXzG/kTZGmg68YUsxL
0/eZGbSK5nQ/EP+ez8qc9hiUPceJ+PBBXErSoEm2EXSUaPPCauIr9Xuh5upEVBI2
rTw0kt3LzKpxdQqbxUJ/m0Zr+hyd+QCdRA7AejNLbp1q7jrjmYdGRKFJqSWP5e7Y
CKS7QwMt0ctI0fHfB7s4lO8wZ2l1g2XhmSV318jukSyGFJpJKyIzRqPdx6NQ9Mx6
C99LHhWjBdneJP24d/w/KTwK2Ct2CNc4iY8Oln0gVsh4IAktDrtW4h3wz04pXp8Y
cUyqVuYE9eExVBD/Im9GCeXWLPZ02UaQFRQFt2Y60vqYLPhDGqPCVUz00ztecdPi
ptL0fyDKd/F6nuAwBqlMHqcCqqTo7sv218K8lmfoR0rZ6FhblQONffNwiWa1MNCE
0/+Sw7f84SRNjJUsz4I+Q54e03lMusmdXX3oNKIYhwVZlYns/fDq0Eg1hWWx3DMF
8vi8UT9stTt7ncnDymENiDONKtW+cVLNO8TjybDT6VTpMDYWkJIh/R9lWadXbpB4
h43D/9/otgVzPflASw7wI/888URi4WscmLeNB2hEjxw5wYhjKcWbRpFVPHE+Kwde
tXVlZO1hMMAtS/5oG/A3EW3WFErWO/d6NZSvgalJ0qkNj90Nqu5FTXSXZyW7PjfA
NOyW8JUJQeYfT3uWpDqU
=Ognd
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Op dinsdag 24 juni 2014 21:46:52 schreef Lance Hathaway:
> Perhaps a large part of my frustration / confusion stems from a lack of
> understanding. Obviously something changed between the version that worked
> and the version that does not. I don't know enough to figure out what code
> changed to impact this functionality, and I certainly don't understand
> why. From what I've been able to tell, this is purely a matter of
> allocating more secure memory, as if the allocation was reduced at some
> point. I don't know whether this was part of the fix for CVE-2013-4576 (if
> so, why was this impacted?), or if it was another code change rolled into
> the same update (if so, why the reduction [if it was a reduction]?). Could
> you possibly shed some light on this?
Just responding from the view of Debian maintainer, for your information:
regardless whether the change is justified, this is not something we can fix
since squeeze is no longer supported with bugfixes (only lts security updates)
and even if it were, this would not be the kind of bug that would qualify for
a point update fix. Therefore closing the issue in Debian's bts; you're of
course free to continue to discuss with upstream.
Cheers,
Thijs
signature.asc
Description: This is a digitally signed message part.
--- End Message ---