Asher Gordon wrote: > Ineiev writes: > > The respective part of Savannah runs Trisquel 7, and it comes with > > GnuPG 2.0 series which doesn't support ECC anyway; however, we should > > update it before 2020, and then... > > I see. It's too bad Savannah doesn't host the GnuPG git repository, > because then I could point out how ironic it is that Savannah hosts > GnuPG but still uses an old version! :-)
I'll own that one. I really push for having an alive security patch process and using a software distribution package management system makes that much easier than building everything from scratch. Our Savannah systems get patches installed usually within a day of their being available from the distro security team. That covers literally millions of lines of code. That is much more than we could review and manage ourselves. We rely upon the community to help. For critical services such as gpg the visibility and importance of a security problem would be high. Every time we decide that we are going to own a bit of code for the systems then *we* must be on-the-bounce ready to react to any security issues. If someone finds a vulnerability in a project that we are owning then we need to jump and react to it. But with an entire system it is really easy not to notice an individual project needing a custom update. The terrible irony would be that a security vulnerability would get found, reported, known by the malicious, fixed upstream, and we might still be running a stale old copy that we had not realized needed to be updated if we are not paying attention and get compromised. On the other hand the daily distro package upgrade keeps things simple. It is possible to use containers to jump some bits of software forward using a different distro and that associated security stream. We do that for a few services. (Notably for git.) We might do that for GPG too. Life and time is what keeps everything from happening all at once. Every time we do that it also increases the complexity of the interactions. But GPG features has been causing noise so we will probably get there eventually. Bob
signature.asc
Description: PGP signature
