On 11/5/21 10:28 pm, Lukas Fleischer via arch-dev-public wrote:
Hi Morten,
Thanks for the summary.
On Mon, 10 May 2021 at 13:31:13, Morten Linderud via arch-dev-public wrote:
Why was this removed with no headsup? It caused a fair bit of confusion for a few people and the cause of this issue isn't very clear when packaged fail to verify. Ideally we should have pushed gnupg with an epoch?
I removed the package after Jan informed me yesterday that the package is broken. Apologies for not making a public announcement; I should have send an email to our mailing lists.
The package has two undocumented patches, one to remove a warning and another one that's required for pacman. I was not aware that pacman required a patched version of GnuPG and will work on porting/rebasing and documenting the patches before pushing a new build.
Our patch documentation policy is non-existent, but you'd have to assume that revert was in the package for a reason. Looking in the SVN history: https://github.com/archlinux/svntogit-packages/commit/ce66f685cf14e94c9f1aa6...
When it comes to pushing with epoch, my understanding was that it is expected that packages break occasionally in [testing] and might get dropped. The recommendation for all [testing] users used to be to subscribe to arch-dev-public where dropped packages are (or at least should be) announced. Do we want to provide upgrade paths for broken packages in [testing]?
And announcement on arch-dev-public has been enough previously. No need for an epoch build. I'd also like to query why 2.3.x was packaged at all? From the 2.3 series announcement: "We are pleased to announce the availability of a new GnuPG release: version 2.3.0. This release marks the start of public testing releases eventually leading to a new stable version 2.4." It seems that we should stay with 2.2.x until 2.4 is released, and the out-of-date flag should be ignored. That will give time to fix the fallout from this change (which is the root cause of the issue that was noticed): https://dev.gnupg.org/T4735 Allan