[Gpg4win-devel] Claws Mail status

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Tue Sep 30 16:23:38 CEST 2008 

At Tue, 30 Sep 2008 15:33:41 +0200,
'Werner Koch' wrote:
> 
> On Tue, 30 Sep 2008 14:13, marcus.brinkmann at ruhr-uni-bochum.de said:
> 
> > For builds that are straight out of svn the default name should be ok.
> 
> I don't think so. 
> 
> What comes out of the build process depends on the a[pckages your have
> copied to packages/.  It is quite possible to use different version and
> not those from packages.current.  In fact, Gpg4win was designed as a
> meta installer and not as a packaging tool for one specific set of
> tools.  Ture, we now have quite some dependencies on current versions
> and older versons of some packages won't work; but that does not change
> the fact that it is quie possible to build different stuff.

True, but packages.current does provide an authoritative list.  It is
under version control, so we know what svnXYZ is supposed to mean.

It would not be difficult to check packages.current against the
available packages at configure time, and allow a mismatch only if a
non-empty string is provided with --version-suffix.  That
version-suffix can be appended to the version string.  Then the files
don't need to be renamed manually and it is not forgotten.  We can do
this in addition to daily autobuilds.

> What I am concerned about most is helping users.  Users need to be able
> to tell what software they installed.  We can't expect them to send the
> README file which includes the version numbers.  Worse, when installing
> on top of something, this information is not any longer true.  Thus the
> easiest way is to ask them for the name of the file they downloaded and
> installed.

We can not enforce the filenames that other people use.  Thus, the
best we can do is to make it easy to do the right thing.  Asking for
the URL the user downloaded from is one way.  Adding more configure
checks is a second way.  Providing an automatic snapshot build is a
third way, which helps developers and users alike.

> We already have this problem with the vanilla gpg: There is the gpg
> binary from ftp.gnupg.org, there is the one which comes with gpg4win and
> there are several other installers which include gpg.  It is often not
> easy to figure out what version it actually is.  Now with several
> identically named gpg4win installers which are all build on other
> machines and with other sets of packages this will lead to even more
> confusion.

gpg is not special in this regard.  The same is true for every free
software project.  You never know the complete system configuration of
a third-party build.  You also don't know the source.  The version
number doesn't tell you if patches have been applied, for example.

Version numbers are only useful as a rough guide.  You always need
more information if you want to dig deeper, for example by whom the
software was provided.  Look at the following packages in Ubuntu.  All
these have gpg --version: gpg (GnuPG) 1.4.6:

gnupg (1.4.6-2ubuntu5) hardy; urgency=low

  * No-change rebuild against libldap-2.4-2.

 -- Steve Langasek <steve.langasek at ubuntu.com>  Wed, 23 Jan 2008 10:49:38 +0000

gnupg (1.4.6-2ubuntu4) gutsy; urgency=low

  * debian/patches/70_trust_error.dpatch: Removed as it broke setting the
    trust level to 1 (LP: #147343).

 -- Michael Bienia <geser at ubuntu.com>  Mon, 01 Oct 2007 21:52:52 +0200

gnupg (1.4.6-2ubuntu3) gutsy; urgency=low

  [ Scott Kitterman ]
  * Add 'debian/patches/60_install_options_skel.dpatch': Patch to
    install options file from upstream (LP: #76983)
  * Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg
    (or gpg2) and gpgsm to use a passphrase agent by default (LP: #15485)
  * Add 'debian/patches/70_trust_error.dpatch': Patch to disallow illegal
    zero response for trust level changes (LP: #39459)

  [ Michael Bienia ]
  * Add libcurl4-gnutls-dev to Build-Depends to fix gpg running into a timeout
    updating the keyring (LP: #62864)

 -- Michael Bienia <geser at ubuntu.com>  Fri, 06 Jul 2007 20:56:05 +0200

gnupg (1.4.6-2ubuntu2) gutsy; urgency=low

  * Add 'debian/patches/50_show_primary_only.dpatch': add
    'show-primary-uid-only' to verify options, to suppress 'aka' output
    in key verifications, backported from 1.4.7 upstream.

 -- Kees Cook <kees at ubuntu.com>  Tue, 15 May 2007 12:09:41 -0700

gnupg (1.4.6-2ubuntu1) gutsy; urgency=low

  * Merge from debian unstable, remaining changes:
    - config.h.in: Disable mlock() test since it fails with ulimit 0 (on
      buildds).
    - debian/rules:
      + Do not install gpg as suid root, since that is not necessary with
        kernels 2.6.8+.
      + Make the build fail if the test suite fails.
    - debian/control: Maintainer field update.

 -- Kees Cook <kees at ubuntu.com>  Tue, 08 May 2007 02:21:26 -0700

gnupg (1.4.6-2) unstable; urgency=medium

  * 28_multiple_message.dpatch: new patch from upstream to fix problems
    handling verification of messages with multiple
    components. [CVE-2007-1263]

 -- James Troup <james at nocrew.org>  Wed,  7 Mar 2007 21:47:35 +0000

gnupg (1.4.6-1ubuntu2) feisty; urgency=low

  * SECURITY UPDATE: without --status-fd, forged inline sigs can appear valid.
  * debian/patches/50_stop_multiple_messages.dpatch: upstream patch.
  * References
    ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch
    CVE-2007-1263

 -- Kees Cook <kees at ubuntu.com>  Wed,  7 Mar 2007 11:53:20 -0800

gnupg (1.4.6-1ubuntu1) feisty; urgency=low

  * Merge from debian unstable, remaining changes:
    - config.h.in: Disable mlock() test since it fails with ulimit 0 (on
      buildds).
    - debian/rules:
      + Do not install gpg as suid root, since that is not necessary with
        kernels 2.6.8+.
      + Make the build fail if the test suite fails.

 -- Kees Cook <kees at ubuntu.com>  Tue, 12 Dec 2006 15:56:56 -0800

gnupg (1.4.6-1) unstable; urgency=high

  * New upstream release.
   * Fixes remotely controllable function pointer [CVE-2006-6235]

  * 27_filename_overflow.dpatch: merged upstream, dropped.
  * 24_gpgv_manpage_cleanup.dpatch: updated and a couple of additional
    trivial fixes.

  * debian/rules (binary-arch): info copy of manuals moved to
    /usr/share/info - remove them there instead.  Manuals are now built
    from texi source, so install them from build tree, not top level.

  * debian/copyright: update to add OpenSSL exemption for keyserver helper
    tools.

 -- James Troup <james at nocrew.org>  Thu,  7 Dec 2006 02:54:51 +0000

> Also think about search engines: Someone tells you to install
> gpg4win-1.2.3-svn4711.exe, you employ a search engine, that one yields a
> list of several locations for the file, you pick one, download it and
> wonder why it does not has an option to install, say, Claws.
> 
> Thus, I consider it important to have distinguishable installer names.

I think we are addressing different problems.  We can have different
names for different installers and still have authoritative versions
with a common name.

Although all this is really overkill.  If somebody uses a -svnXYZ
version, we already know it is not an official release, and have to
ask the right follow up questions.  The main important thing is that
people don't use the offical name accidentially, and that is already
the case.

Thanks,
Marcus

More information about the Gpg4win-devel mailing list