On Mon 2025-04-14 13:43:20 +0200, Justus Winter wrote:
> René Engelhard <r...@rene-engelhard.de> writes:
>
>> If you divert /usr/bin/gpg, IMHO you need to behave like gpg.
>
> gpg doesn't behave like gpg.  Just look at all the version-specific
> hacks in GPGME if you don't take my word for it.  Any code relying on a
> specific behavior of gpg is broken.

GnuPG maintainer here. i have to say i'm sympathetic to Justus's
position, though i would have put it slightly differently.

There is no one single "gpg behavior", even among all currently
supported GnuPG releases.  It gets even hairier if you go back in time
and look at the range of historical behaviors, even of all versions in
Debian stable releases.

Doing downstream maintenance of GnuPG means dealing with constant flux
and strange quirks, some of which upstream takes seriously when they're
discovered and some of which appear to just be the standard operating
procedure, with no explanation forthcoming.

the Sequoia Chameleon ("gpg-sq") has so far been fairly stable, and its
divergences from GnuPG are explicitly documented with what seem like
reasonable motivations to me:

   
https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg#known-deliberate-divergences

The fact that it uncovered weak digest algorithms used in a relatively
recently created test suite does not seem like a bug in gpg-sq; rather,
it looks like part of a long overdue hardening of the ecosystem.

Regards,

        --dkg

Attachment: signature.asc
Description: PGP signature

Reply via email to