Hello all! Thank you for the message and interest in the GnuPG! What was said about the state is mostly true (not the thing about being unmaintained, but about sticking on the "oldstable" release). And thanks Adam for heads up.
For the CVEs, I just merged a rebase to 2.4.9 (thanks @Clemens Lang <[email protected]> for the PR!) and its building: https://koji.fedoraproject.org/koji/taskinfo?taskID=140639106 (other Fedora versions will follow) To answer separate questions, the CVEs were published on 29th December and upstream release one day after. Unfortunately I was not around the computer to fix this faster. No update for 6 months really does not mean that package is unmaintained. There was just no reason to update the package. We are keeping the Fedora version of GnuPG on the 2.4 branch as said above intentionally. The 2.5 started as mostly experiment implementing the LibrePGP standard, which is not compatible with anything else (IETF's OpenPGP) and would likely result in users shooting themselves into their feet. I also synced couple of patches over the last years with FreePG project, which is trying to maintain the version 2.4 in a compatible manner: https://gitlab.com/freepg/gnupg Updating to 2.5 would result in new users generating incompatible LibrePGP keys, which I do not think is a good idea to do now for all Fedora users. I am hoping we will have some better solution by the time the 2.4 version will reach EOL, but I can not anticipate what it is going to be. Best, Jakub On Tue, Dec 30, 2025 at 7:50 PM Adam Williamson <[email protected]> wrote: > On Tue, 2025-12-30 at 11:49 +0000, Christian Stadelmann wrote: > > Thanks for your response! I'm sorry I might have been a bit impatient. > Some of the bugs were fixed upstream, but I am aware that we cannot expect > a maintainer to track upstream so closely that they would get notified on > these upstream fixes. > > In case you're not aware, Red Hat has a company shutdown every year > from Dec 25 through Jan 2 (more or less), meaning basically everyone > who works at RH is off work during that time. Of course there's cover > for critical functions, but generally you can't expect an RH-employed > maintainer to be doing 'routine' stuff like upstream monitoring during > that timeframe. I'm pretty sure the gnupg maintainers *do* usually > monitor upstream things like this, but during this particular > timeframe, it's different. > -- > Adam Williamson (he/him/his) > Fedora QA > Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected] > https://www.happyassassin.net > > > > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
