Package: notmuch Version: 0.38.3-3+b2 Control: affects -1 + src:gnupg2 Hey notmuch folks--
GnuPG recently fixed a denial of service for signature verification in the keyring on its master branch: https://dev.gnupg.org/T7527 However, when i backport the fix for this DoS to debian (2.2.46-2), i get this failure in the notmuch test suite, in T350-crypto.sh: https://ci.debian.net/packages/n/notmuch/testing/amd64/58295837/#L2732 ``` 93s FAIL signature verification with revoked key 93s --- T350-crypto.19.expected 2025-02-26 22:12:14.641273874 +0000 93s +++ T350-crypto.19.output 2025-02-26 22:12:14.641273874 +0000 93s @@ -21,7 +21,7 @@ 93s "sigstatus": [ 93s { 93s "errors": { 93s - "key-revoked": true 93s + "key-missing": true 93s }, 93s "keyid": "7E6ABE924645CC60", 93s "status": "error" 93s @@ -34,7 +34,7 @@ 93s "status": [ 93s { 93s "errors": { 93s - "key-revoked": true 93s + "key-missing": true 93s }, 93s "keyid": "7E6ABE924645CC60", 93s "status": "error" 93s ``` I'm reading this as "gpg now reports that the signing key is *missing* rather than *revoked*, when it is actually revoked". I am going to try to replicate this in gnupg's master branch and report the problem upstream, but i wanted to note the issue to notmuch as well, to see whether anyone has a preference about how to fix it. I don't think that reverting the fix in GnuPG is a good idea, given the DoS that it resolves. --dkg
signature.asc
Description: PGP signature
