[arch-dev-public] gnupg 2.3.1-1 pulled from [testing]

Morten Linderud foxboron at archlinux.org
Tue May 11 12:42:04 UTC 2021


On Tue, May 11, 2021 at 08:28:24AM -0400, Lukas Fleischer wrote:
> Hi Morten,
> 
> Thanks for the summary.

Yoo!

Thanks for explaining :)

> On Mon, 10 May 2021 at 13:31:13, Morten Linderud via arch-dev-public wrote:
> > Why was this removed with no headsup? It caused a fair bit of confusion for a
> > few people and the cause of this issue isn't very clear when packaged fail to
> > verify. Ideally we should have pushed gnupg with an epoch?
> 
> I removed the package after Jan informed me yesterday that the package
> is broken. Apologies for not making a public announcement; I should have
> send an email to our mailing lists.

No worries. People started bugging me on IRC and there is now a thread on the
subreddit as well. I thought I'd just send one before people started sending me
personal emails about some weird conspiracies about compromised signing keys :p

> The package has two undocumented patches, one to remove a warning and
> another one that's required for pacman. I was not aware that pacman
> required a patched version of GnuPG and will work on porting/rebasing
> and documenting the patches before pushing a new build.

Thanks! But it's probably a few more changes with the signing UIDs we need to
account for. I believe Santiago and/or Jonas can explain but it would probably
be better to share the package on the mailing list or throw it into staging so
we can look at it before it enters testing.

> When it comes to pushing with epoch, my understanding was that it is
> expected that packages break occasionally in [testing] and might get
> dropped. The recommendation for all [testing] users used to be to
> subscribe to arch-dev-public where dropped packages are (or at least
> should be) announced. Do we want to provide upgrade paths for broken
> packages in [testing]?

I'm not sure about if we traditionally drop packages from testing or do an epoch.
I might be wrong and developers probably have a stronger opinion. 

Ideally testers should follow arch-dev-public closely. I thought it was
mentioned somewhere but it apparently hasn't been on the testing team wikipage.
NetSysFire has added a note for it :)

https://wiki.archlinux.org/title/Arch_Testing_Team

Thanks!

-- 
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20210511/889dacd4/attachment.sig>


More information about the arch-dev-public mailing list