[arch-general] gnupg 2.1 not stable

Ido Rosen ido at kernel.org
Wed Dec 17 18:32:03 UTC 2014


On Wed, Dec 17, 2014 at 12:05 PM, Levente Polyak <anthraxx at archlinux.org> wrote:
> besides the "upstream stable release" discussion (which i will leave out
> here) i have two small questions:
>
> On 12/17/2014 03:03 PM, Ido Rosen wrote:
>> On the gnupg-devel mailing list I've seen a few
>> potentially serious security issues with it.
>
> No offense, but out of interest:

No offense taken at all, these are good questions to ask.

> Could you please point them out with some references and links what
> exactly you consider "potentially serious security issues" on that
> mailing list?
> If its something that was not noticed to be potentially a serious
> security issue, did you raise awareness about that on the list or
> privately to the dev?

Several security patches went into 2.1 after its release, and there
continue to be patches submitted for minor issues that are borderline
security/usability issues in the "bug fix" category.  Most of those
bugs at worst result in DoSes, but two of them in particular could
result in invalid signature verification output.  The 2.1.x codebase
is still under relatively heavy active development (in code coverage
terms) and new features seem to be going into it with every point
release.  This is my interpretation from following the gnupg-devel
mailing list and having some familiarity with how gnupg releases have
come out in the past.

(Werner Koch does an excellent job of making the releases as secure as
he can, but I think he has a good security reason why 2.1 isn't marked
as ready for general use or stable yet.  I trust him to mark 2.1
stable when he thinks it is ready for public consumption.)

> On 12/17/2014 05:28 PM, Ido Rosen wrote:
>> [...] Someone made
>> a mistake in upgrading to 2.1, so let's correct the mistake by
>> downgrading back until it's safe, rather than leaving all of Arch's
>> users at great security risk.
>
> out of curiosity, what exactly and specifically do you consider a "great
> security risk" in 2.1. I would appreciate if you provide a concrete
> reference in 2.1 what you mean with "great security risk".

The great security risk is in reference to the fact that Arch uses
gnupg to validate package repository authenticity and package
authenticity, as well as other places.  In practice, I see several
security patches went into 2.1 after 2.1.0 was released, including
some to fix bugs that only affected 2.1.0 and not 2.0.x.  Some of
those bugs are immediately exploitable, but it would be irresponsible
to disclose which publicly (and I'm not a security researcher).

For me, the bigger issue is that the developers themselves do not
consider 2.1 ready for general use, and that it's the only thing
preventing an Arch mirror compromise from turning into an Arch
compromise.

>
> thanks in advice,
> cheers,
> Levente
>


More information about the arch-general mailing list