Your message dated Tue, 11 Mar 2025 00:09:41 +0000
with message-id <[email protected]>
and subject line Bug#1098995: fixed in notmuch 0.38.3-5
has caused the Debian Bug report #1098995,
regarding test suite regressions with fixed GnuPG
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1098995: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098995
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: notmuch
Version: 0.38.3-3+b2
Control: affects -1 + src:gnupg2
Hey notmuch folks--
GnuPG recently fixed a denial of service for signature verification in
the keyring on its master branch: https://dev.gnupg.org/T7527
However, when i backport the fix for this DoS to debian (2.2.46-2), i
get this failure in the notmuch test suite, in T350-crypto.sh:
https://ci.debian.net/packages/n/notmuch/testing/amd64/58295837/#L2732
```
93s FAIL signature verification with revoked key
93s --- T350-crypto.19.expected 2025-02-26 22:12:14.641273874 +0000
93s +++ T350-crypto.19.output 2025-02-26 22:12:14.641273874 +0000
93s @@ -21,7 +21,7 @@
93s "sigstatus": [
93s {
93s "errors": {
93s - "key-revoked": true
93s + "key-missing": true
93s },
93s "keyid": "7E6ABE924645CC60",
93s "status": "error"
93s @@ -34,7 +34,7 @@
93s "status": [
93s {
93s "errors": {
93s - "key-revoked": true
93s + "key-missing": true
93s },
93s "keyid": "7E6ABE924645CC60",
93s "status": "error"
93s
```
I'm reading this as "gpg now reports that the signing key is *missing*
rather than *revoked*, when it is actually revoked".
I am going to try to replicate this in gnupg's master branch and report
the problem upstream, but i wanted to note the issue to notmuch as well,
to see whether anyone has a preference about how to fix it.
I don't think that reverting the fix in GnuPG is a good idea, given the
DoS that it resolves.
--dkg
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: notmuch
Source-Version: 0.38.3-5
Done: David Bremner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
notmuch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Bremner <[email protected]> (supplier of updated notmuch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 28 Feb 2025 16:24:35 -0500
Source: notmuch
Architecture: source
Version: 0.38.3-5
Distribution: unstable
Urgency: medium
Maintainer: Carl Worth <[email protected]>
Changed-By: David Bremner <[email protected]>
Closes: 1098995
Changes:
notmuch (0.38.3-5) unstable; urgency=medium
.
* Bug fix: "test suite regressions with fixed GnuPG", thanks to
Daniel Kahn Gillmor (Closes: #1098995).
Checksums-Sha1:
3996024ae8dbbdfff6455107e6fe0ea22314dcf1 2899 notmuch_0.38.3-5.dsc
b948be01fd7e242bd3a1e01b26dc0fa4e39f59c8 22060 notmuch_0.38.3-5.debian.tar.xz
Checksums-Sha256:
7df6e26d30fafe20cd209630cf287a6c2db10a26527ff4757a517dca298d6a02 2899
notmuch_0.38.3-5.dsc
ab83fc3e9db2a3c8ffb221c128eca318128b738c0896496ee19097eb400faa30 22060
notmuch_0.38.3-5.debian.tar.xz
Files:
b1c1b77e2a87b7ec162c10e844dcdcc6 2899 mail optional notmuch_0.38.3-5.dsc
eb873e475beb2482180658d466ae8883 22060 mail optional
notmuch_0.38.3-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQS5beC2erx2PFqyC7XhcL+0NDTnAAUCZ894VwAKCRDhcL+0NDTn
AKq5AP4spgTaOyPHfXO9AhZ26bQQD2aCw3MD7f/3VC9NnLRLlgEAi5jqN5YaKh+N
MYNBW5odkyMcNwfbPBpt48GYh6ixPgU=
=Rgkl
-----END PGP SIGNATURE-----
pgpnT7fb99Oqd.pgp
Description: PGP signature
--- End Message ---