Ben Finney <> writes:

> I am preparing a new version of ‘dput’ that stops using ‘/usr/bin/gpg’,
> and instead uses the GPGME library for GnuPG operations.

> […]
> If your packaging workflow has unusual signing practices, or an unusual
> GnuPG configuration, your help will be especially valuable to test this
> change.

In particular I am seeking workflows and tests that:

* Use signatures from keys that are now expired, or from keys that your
  GnuPG doesn't trust, or from keys that your GnuPG doesn't know.

* Use signatures that are well-formed but fail to verify, or that are
  good but very old, or that are from the future.

* Use non-default hash algorithms, or non-default options that would
  otherwise affect the generated signature.

* Use GnuPG version 1 on a system with GnuPG 2, or vice versa.

* Use outdated versions of GPGME.

* etc.

I'm also hoping some people interested in back-porting ‘dput’ to older
Debian releases can help test these changes on those systems.

Please contact me at <> to offer your packaging
system to test this new release.

 \        “Good judgement comes from experience. Experience comes from |
  `\                              bad judgement.” —Frederick P. Brooks |
_o__)                                                                  |
Ben Finney

Reply via email to