Hi, Recently, python-gnupg was triaged for maintenance in Debian LTS, which brought my attention to this little wrapper around GnuPG that I'm somewhat familiar with.
Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch right now, with buster and sid marked as fixed, as you can see here: https://security-tracker.debian.org/tracker/source-package/python-gnupg I'm concerned about the security of this project in general. Even though that specific instance might be fixed, there are many more bad security practices used in this project. A fork was created by Isis Agora Lovecruft to fix those issues: https://github.com/isislovecruft/python-gnupg/ Those patches were not merged back upstream, which is disputing isis' claims. The security issues found in the upstream package are partly documented here: https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html I am concerned that fixing only this specific CVE will give users a false sense of security, as many more similar issues might be lurking in the code. Having, myself, dealt with writing such a library (lesson learnt: don't do that), I can confirm it is very hard (if not impossible) to properly talk with GnuPG in a reasonable way. There is now a constant flow of vulnerabilities coming out that outline commonly made mistakes when trying to talk the line dialog with GnuPG. For example: https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/ I suspect many such issues could be identified formally in the python-gnupg package. But maybe, instead, we should just mark it as unsupported in debian-security-support and move on. There are few packages depending on it, in jessie: Reverse Depends: Dépend: hash-slinger Dépend: pyspread in stretch: Reverse Depends: Casse: gnupg (<< 0.3.8-3) Recommande: python-sleekxmpp Dépend: pyspread Dépend: hash-slinger Dépend: goopg Dépend: deken in buster: Reverse Depends: Casse: gnupg (<< 0.3.8-3) Dépend: hash-slinger Dépend: goopg Recommande: python-sleekxmpp Dépend: python-rosbag Dépend: pyspread Note that the list is (slowly) growing. What do people think? A. -- L'adversaire d'une vraie liberté est un désir excessif de sécurité. - Jean de la Fontaine