On Mon, 2025-12-29 at 16:57 +0000, Christian Stadelmann wrote: > Hi together, > > On the annual conference 39C3, a few PGP-related security bugs were found, > many of which are bugs in gnupg2 [1]. > > The gnupg2 package has not seen an update from its maintainer for >6 months > [2], even though lots [3] of updates with lots of security relevant bug fixes > have been released. The-new-hotness's update reminders turned into a > monologue [4]. Some of the open bugs [5] are remote code execution bugs. > > PS: I know that this is a public mailing list, and am posting on a public > mailing list, since all the information mentioned here is public. > > Is it possible that gnupg is unmaintained? This would pose a high security > risk to the Fedora project. > > [1] https://gpg.fail/ > [2] https://src.fedoraproject.org/rpms/gnupg2/commits/rawhide > [3] https://dev.gnupg.org/source/gnupg/browse/master/NEWS > [4] https://bugzilla.redhat.com/show_bug.cgi?id=2296000 > [5] > https://bugzilla.redhat.com/buglist.cgi?component=gnupg2&query_format=advanced&product=Fedora&product=Fedora%20EPEL&bug_status=__open__
Jakub is still in the RH employee list in the expected org, so it seems like he should still be maintaining it. I do not know why he hasn't apparently done any work on the package lately. RH is on holiday shutdown ATM but I'll try to make sure he's aware of this thread. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected] https://www.happyassassin.net -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
