Christian Stadelmann wrote: > On the annual conference 39C3, a few PGP-related security bugs were found, > many of which are bugs in gnupg2 [1].
The conference is going on right now, so this is brand new news. > The gnupg2 package has not seen an update from its maintainer for >6 months > [2], even though lots [3] of updates with lots of security relevant bug fixes > have been released. The-new-hotness's update reminders turned into a > monologue [4]. Fedora 43 and Rawhide have GnuPG 2.4.8, which is the latest in the 2.4 series. Fedora 42 has 2.4.7. Upstream promises to maintain the 2.4 series for six more months. The upstream messaging about the 2.5 series has shifted a bit. It used to be presented as "a series of public testing releases eventually leading to a new stable version 2.6". That's not what we want in a Fedora release. With GnuPG 2.5.12 in September, this statement appeared instead: | Note that this 2.5 series is fully supported and thus ready for | production use. This means we won't break anything but may add some | more features before 2.6. So considering the coming end-of-life of GnuPG 2.4, it might be appropriate to upgrade to 2.5 for Fedora 44, but it's also reasonable to want the new features stabilized first. > Some of the open bugs [5] are remote code execution bugs reported less than two days ago. > Is it possible that gnupg is unmaintained? This would pose a high security > risk to the Fedora project. That's unwarranted. Spreading the word about alarming vulnerabilities is great, and of course we'd all like to see them patched yesterday, but can't a maintainer who is probably on vacation get *some* time to react before you start talking about the package being unmaintained? Björn Persson
pgp99GcY7dCB_.pgp
Description: OpenPGP digital signatur
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
