On Tue 2025-05-27 10:40:29 +0200, Sune Stolborg Vuorela wrote:
> Now that sequoia also thinks that having non-critical packets anywhere, can
> we
> also let GnuPG do it, right ?
>
> https://gitlab.com/sequoia-pgp/sequoia/-/issues/1193#note_2522532582
An argument from a close read of the specification that multiple
implementers have reviewed and agreed to implement is certainly more
convincing from an interoperability perspective than the argument of
"GnuPG has always done things this way".
It'd be even more compelling if GnuPG upstream would aim at following
the standard in question, but yes, i agree with you that we're trying to
coax the version in Debian to be more standards-compatible than the raw
upstream, to increase the likelihood of functioning interoperability.
However, this still doesn't address the main concern from the patch in
question that you're asking to be modified. In particular, that patch
tries to minimize the attack surface of arbitrary packet parsers for
material most likely to be coming from an adversary.
I can take a look and see whether it's possible to get both kinds of
benefits -- standards compliance and reduced attack surface -- but i'd
certainly appreciate some upstream support in doing so.
--dkg
