[arch-general] gnupg 2.1 not stable

Ido Rosen ido at kernel.org
Wed Dec 17 16:28:21 UTC 2014


On Wed, Dec 17, 2014 at 11:00 AM, "P. A. López-Valencia"
<vorbote at outlook.com> wrote:
>
> On 17/12/14 09:32, Ido Rosen wrote:
>>
>>
>> Agreed that everything in "core" should be maximally stable.  (Also,
>> following upstream stable releases rather than unstable releases fits
>> just fine with Arch's philosophy of following upstream releases, since
>> unstable releases are really just poorly named release candidates,
>> which we don't usually follow.)
>
>
> TBH, your argument is a red herring. Arch is about K.I.S.S. and following
> upstream as close to current as *upstream stable releases* allow. There have
> been occasions when what you propose has happened, mostly due to the chronic
> lack of developer hands and time. I can recall the headache it was to move
> from guile 1.8 to 2.x a little longer than a year ago.

We seem to be in agreement: 2.1.x is not yet in the set of upstream
*stable* releases, but 2.0.x is in that set.  Therefore, Arch should
follow 2.0.x until upstream has marked 2.1.x as stable.  Someone made
a mistake in upgrading to 2.1, so let's correct the mistake by
downgrading back until it's safe, rather than leaving all of Arch's
users at great security risk.  Let's not forget that gnupg underlies
all of Arch's security/integrity (i.e. pacman db and pkg signing) -
it's how our users know that Arch is Alice-rch and not Eve-rch.

IMO, downgrading is the responsible, smart (not stupid) thing to do,
and let's not forget the last "S" in K.I.S.S... :-)

>
>> Given that gpg is such a crucial core component of Arch's
>> infrastructure and that gpg 2.1 is NOT stable.  Could we switch back
>> to gnupg 2.0.x (stable release) and create a gnupg-modern or gnupg21
>> package to track gnupg 2.1.x, which should be installable side-by-side
>> with gnupg stable (perhaps with gpg21 as the binary name).
>>
>
> Instead, why not donate to gnupg.org so that the software is truly stable
> and evolves quickly? One underpaid (and underfed!) developer doesn't give
> any assurance about the future of the project and the software itself.[1]
> TL;DR: gnupg's situation is such that the OpenSSL project before the
> Heartbleed incident looks like a bunch of rich kids clubbing in Ibiza.

I donated, but I do not see your name on the donation list? [0]  It
can be "in addition to", not "instead".  Also, your argument is a
straw man:  Upstream funding has nothing to do with whether Arch
should follow what upstream has marked as a stable release vs. what
upstream marked as unstable, not recommended for general use, feature
development release; this is especially true of such a critical core
component which underlies all of Arch's package distribution
security/integrity (i.e. pacman-key).  That one underpaid and underfed
full time developer you refer to has marked 2.0 as stable and 2.1 as
unstable, so upstream has not marked 2.1.x as stable yet.

[0] https://www.gnupg.org/donate/kudos.html

>
> [1] https://news.ycombinator.com/item?id=8761896
>
> --
> Pedro Alejandro López-Valencia
> http://about.me/palopezv/
>
> Every nation gets the government it deserves. -- Joseph de Maistre


More information about the arch-general mailing list