Re: Re: GnuPG 2.4 before Trixie freeze

[Andrew Gallagher]

Simon Joseffson mailto:si...@joseffson.org>> wrote:

> It seems there is push from the anti-GnuPG people to promote a fork called 
> FreePG instead of real GnuPG, will you package that?
>
> https://gitlab.com/freepg/gnupg

FreePG is not an anti-GnuPG project, if anything it’s trying to keep GnuPG on 
Linux alive as long as possible, so as not to force users into a disruptive 
sudden migration to other tools. It is also very deliberately not a fork, but 
rather a set of discrete patches that are already being applied by multiple 
downstreams, some dating back years.

> Who is behind FreePG?

Me, mostly. I wrote the CI tooling that runs FreePG, and dkg has been helping 
to review and de-lint the patches against upstream, in consultation with other 
downstreams.

> Or do we want to trust 'Hooty McOwlface' with no earlier publicly recorded 
> community contributions?

Some clarity about Hooty is overdue. It is a machine account controlled by a 
Docker container that currently runs on my laptop, primarily because there are 
some automation tasks (such as mangling branch histories) that are not 
currently easy to do in the GitLab CI. I have commented on tickets using 
Hooty’s name in the past, but I’m trying to avoid it these days to avoid giving 
the impression that Hooty has an opinion.

At some point I may decide to walk away from the project, in which case I can 
hand Hooty over to someone else as a functioning unit.

> This is even more true considering that the people who are patching GnuPG 
> seems to be the same people who are working on replacing GnuPG with Seqoia.

If you mean dkg, he’s been doing thankless work for years now trying to keep 
the OpenPGP ecosystem together, including by wrangling downstream packaging for 
*multiple* projects. The Sequoia project has never been involved in FreePG, and 
they most likely found out about it the same way everyone else here did. FreePG 
is an orthogonal project and is not intended to either help or impede adoption 
of Sequoia - the target userbase is people who can not, or do not wish to, 
migrate away from GnuPG (yet?), but also don’t wish to become incompatible with 
mainstream OpenPGP.

A



signature.asc
Description: Message signed with OpenPGP

Re: GnuPG 2.4 before Trixie freeze

[Andrew Gallagher]

On Tue, Jan 14, 2025 at 06:10:22PM +0100, Simon Josefsson wrote:
> 
> Do you have earlier examples of Debian modifying upstream's desired wire
> crypto-sensitive protocol in the way like what is being done for GnuPG?
> Maybe there are some older OpenSSH or OpenSSL patches like that.

To reiterate, FreePG does not modify the cryptographic core of GnuPG, or its 
wire protocols, merely the preferences and defaults.

> I am hoping that the 'gnupg2' package could be altered towards that
> goal, and that some sort of compromise with the GnuPG Debian maintainers
> can be reached that providing a LibrePGP-compliant GnuPG in Debian is
> acceptable.

What is the criterion for LibrePGP compliance in your view? Is the ability to 
read and write LibrePGP wire formats not sufficient?

I would encourage readers to check the patch list at [1] and the discussion at 
[2].

-- 
Andrew Gallagherhttp://andrewg.com/ andr...@andrewg.com

[1] https://gitlab.com/freepg/gnupg/-/tree/main/STABLE-BRANCH-2-4-freepg
[2] https://gitlab.com/freepg/gnupg/-/issues/1