subject:"Bug#860745\: \[pkg\-gnupg\-maint\] Bug#860745\: Please suggest a fix for \"server $SOMETHING is older than us\" message"

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

2017-04-28 Thread Werner Koch

On Tue, 25 Apr 2017 22:31, d...@fifthhorseman.net said:

> Do you recommend terminating all per-user gpg-agent and dirmngr
> instances upon package upgrade?  This would be a significant change from

I can't decide this.  What I do if something goes wrong after an update
is to look into the Debian.NEWS.gz and changelog/Debian.gz.

However for a security fix I would suggest to restart the daemons on
installation or mail/show a respective message.

> I just filed it here:  https://dev.gnupg.org/T3117

Thanks.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpqJJf_IUUfh.pgp
Description: PGP signature

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

2017-04-25 Thread Daniel Kahn Gillmor

Control: tags 860745 + upstream
Control: forwarded 860745 https://dev.gnupg.org/T3117

On Sun 2017-04-23 18:52:11 +0200, Werner Koch wrote:
> Well, correct installation of a software update is the task of the
> sysadmin or the distribution.  This is the same as an update of libc or
> other libraries; something(tm) must happen to restart all processes
> using an updated library.

Do you recommend terminating all per-user gpg-agent and dirmngr
instances upon package upgrade?  This would be a significant change from
the traditional debian packaging approach, in which the package is only
really responsible for restarting system-level daemons (not user-level
daemons).

>>   gpg: WARNING: server 'dirmngr' is older than us (2.1.17 < 2.1.18). Run 
>> with --verbose for details.
>>   gpg: further info: Outdated servers may lack important security fixes.
>>   gpg: further info: A restart can be forced using "gpgconf --kill all"
>
> Hmmm.  Can you file a report to bugs.gnupg.org ?

I just filed it here:  https://dev.gnupg.org/T3117

  --dkg


signature.asc
Description: PGP signature

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

2017-04-23 Thread Werner Koch

On Sun, 23 Apr 2017 11:09, enr...@debian.org said:

> Technically it sounds like the right thing. I had no idea I could get
> hints with --verbose, though, so I wouldn't have seen it.

Isn't it the first thing with Unix tools to add -v when you wonder what
is going on ;-).

> Could gpg tell dirmngr/gpg-agent to kill themselves the next time they
> are idle and not servicing anyone? I imagine that would do the restart

Well, correct installation of a software update is the task of the
sysadmin or the distribution.  This is the same as an update of libc or
other libraries; something(tm) must happen to restart all processes
using an updated library.

We print the notice only to help in debugging for those who build the
software on their own and forget a task.

> cosmetic thing, or could there be a malfunction, like an ABI mismatch,
> or an attack vector, like a security issue having been fixed in the new
> server version, and needing a restart to take effect?

Most things keep on on working even with an older versions.  We try to
make sure not to break things.  However, you won't have access to bug
fixes and new features.  People sometimes wonder why they didn't notice
a change after updating to a new gpg version and continue to complain -
that is why we have this warning.  Make the life easer for the
maintainers.

> If it's just cosmetic, I'd suggest to move the warning to --verbose
> hints as well. If there is a danger, I'd like the danger to be spelled
> out clearly, like:
>
>   gpg: WARNING: server 'dirmngr' is older than us (2.1.17 < 2.1.18). Run with 
> --verbose for details.
>   gpg: further info: Outdated servers may lack important security fixes.
>   gpg: further info: A restart can be forced using "gpgconf --kill all"

Hmmm.  Can you file a report to bugs.gnupg.org ?


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp929cZHKnao.pgp
Description: PGP signature

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

2017-04-23 Thread Enrico Zini

On Fri, Apr 21, 2017 at 06:52:20PM +0200, Werner Koch wrote:

> > gpg: WARNING: server 'dirmngr' is older than us (2.1.17 < 2.1.18). Run 
> > 'gpgconf --kill dirmngr' to terminate it.  A new instance will be restarted 
> > as needed.
> We already have some hints messages printed in --verbose mode, like:
>   gpg: further info: Tor is not properly configured
> So I would suggest to print
>   gpg: further info: A restart can be forced using "gpgconf --kill all"

Technically it sounds like the right thing. I had no idea I could get
hints with --verbose, though, so I wouldn't have seen it.

> > Alternately, it might be nice for gpg to try to effect the restart
> > itself (though i worry that could get into a loop, since gpg itself is
> Not a good idea in case you have other sessions running or you need the
> cache.

Could gpg tell dirmngr/gpg-agent to kill themselves the next time they
are idle and not servicing anyone? I imagine that would do the restart
without being a problem for other sessions running.

I don't know about the cache. I also don't know what's the danger in
running servers that have an older version than gpg itself: is it just a
cosmetic thing, or could there be a malfunction, like an ABI mismatch,
or an attack vector, like a security issue having been fixed in the new
server version, and needing a restart to take effect?

If it's just cosmetic, I'd suggest to move the warning to --verbose
hints as well. If there is a danger, I'd like the danger to be spelled
out clearly, like:

  gpg: WARNING: server 'dirmngr' is older than us (2.1.17 < 2.1.18). Run with 
--verbose for details.
  gpg: further info: Outdated servers may lack important security fixes.
  gpg: further info: A restart can be forced using "gpgconf --kill all"

Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini 

signature.asc
Description: PGP signature

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

2017-04-21 Thread Werner Koch

On Wed, 19 Apr 2017 18:53, d...@fifthhorseman.net said:

> I wouldn't want to encourage people to restart the daemons -- i'd rather
> encourage them to terminate them and let the new versions be restarted

Right.


> gpg: WARNING: server 'dirmngr' is older than us (2.1.17 < 2.1.18). Run 
> 'gpgconf --kill dirmngr' to terminate it.  A new instance will be restarted 
> as needed.

We already have some hints messages printed in --verbose mode, like:

  gpg: further info: Tor is not properly configured

So I would suggest to print

  gpg: further info: A restart can be forced using "gpgconf --kill all"

> Alternately, it might be nice for gpg to try to effect the restart
> itself (though i worry that could get into a loop, since gpg itself is

Not a good idea in case you have other sessions running or you need the
cache.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpTU_SsvU0cH.pgp
Description: PGP signature

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

2017-04-19 Thread Daniel Kahn Gillmor

Hi Enrico--

On Wed 2017-04-19 18:26:48 +0200, Enrico Zini wrote:

> I get some warnings when I run some gpg commands:
>
> gpg: WARNING: server 'dirmngr' is older than us (2.1.17 < 2.1.18)
> gpg: WARNING: server 'gpg-agent' is older than us (2.1.17 < 2.1.18)
>
> I'd like to restart those services, but I have no idea of how.

The upstream way to tear down those services (which is independent of
whatever system manager you're using) is:

gpgconf --kill gpg-agent
gpgconf --kill dirmngr

They will be automatically restarted as needed.

If you're using systemd (it looks like you are) with libpam-systemd and
have a per-user systemd manager running (you probably do), then you can
also terminate them the same way you'd terminate any systemd user service:

systemd --user stop gpg-agent dirmngr

And again, they'll be automatically restarted as needed.

> gpg: WARNING: server 'dirmngr' is older than us (2.1.17 < 2.1.18). Run 
> $COMMAND to restart it.

I wouldn't want to encourage people to restart the daemons -- i'd rather
encourage them to terminate them and let the new versions be restarted
as needed, but that sounds pretty verbose.  What do you think about:

gpg: WARNING: server 'dirmngr' is older than us (2.1.17 < 2.1.18). Run 
'gpgconf --kill dirmngr' to terminate it.  A new instance will be restarted as 
needed.

Alternately, it might be nice for gpg to try to effect the restart
itself (though i worry that could get into a loop, since gpg itself is
short-lived compared to its helper daemons).

Any other suggestions?

--dkg

signature.asc
Description: PGP signature

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

Bug#860745: [pkg-gnupg-maint] Bug#860745: Please suggest a fix for "server $SOMETHING is older than us" message

6 matches

Site Navigation

Mail list logo

Footer information