Chocolatey-coreteampackages: (gpg4win-vanilla/light) Not maintained upstream, possible vulnerability

Created on 30 May 2018  路  9Comments  路  Source: chocolatey-community/chocolatey-coreteampackages

Expected Behavior

gpg4win-vanilla and gpg4win-light still maintained by upstream.

This is no more the case unfortunately.

Current Behavior

gpg4win-vanilla and gpg4win-light have been left on the now outdated and not maintained 2.0 gpg branch. These packages have not been updated for more than a year and are potentially putting users of these at risk. From now on, gpg4win will be the only package still maintained by upstream (on the 2.2 gpg branch).

Possible Solution

Update gpg4win-vanilla and gpg4win-light to make them a dummy package depending on gpg4win. That way, all users of these outdated (lighter) packages will be upgraded to the current branch (2.2) of gpg4win, more secure and maintained.

The current gpg4win package is significantly lighter than what it was previously (claws mail has been removed for example).

If I get some sort of quorum/acceptance from some of you, I'll update these two packages in the days to come according to the description of this possible solution. What do you think? Any concerns here?

Steps to Reproduce (for bugs)

N/A

Context

N/A

Your Environment

N/A

QuestioDiscussion

Most helpful comment

@AdmiringWorm @jtcmedia Done.
I'll now add the long awaited warning to the other outdated GPG4win packages.

All 9 comments

Why not this:

https://www.gnupg.org/download/index.html
Link: https://www.gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.7_20180502.exe

IMO we should make new gnupg package from above and keep all as it is. Note could be added on the existing packages that there are alternatives and security issues etc.

I agree that the gpg4win-* packages should be left as the current version, making them dummy packages would not be correct in this regard IMO.
What could be done though, is to update the packages and output a warning to users installing the package (just mentioning that it isn't supported anymore).

BTW, there already exist a gnupg package (well, the modern edition anyhow): https://chocolatey.org/packages/gnupg-modern

BTW, there already exist a gnupg package (well, the modern edition anyhow): https://chocolatey.org/packages/gnupg-modern

Yeah, this one is current. IMO it should be migrated here and made embedded. @wget, are you up for things we decided here, namely:

  1. Migrate gnupg-modern here, IMO name should be changed to gnupg
  2. Add warning and/or notes in 2 outdated packages.

@majkinetor Ok. Understood. What kind of warning should I write? How am I supposed to write it? Simply with Write-Host or do you have any other Chocolatey PS helper across that cmdlet formatting the output as error or warning content?

How should I handle the gnupg-modern to gnupg dependency? Simply make gnupg-modern a dummy package depending on the new to be created gnupg.?

Write-Warning
Yes

Gnupg-modern should be migrated here, PR-ed there (its AU automatic).

@jtcmedia would you be interested in having the gnupg-modern package migrated to this repository?

Ya, no problem. I don't have time to do it myself at the moment so if someone else wants to fork and PR with changes suggested by @majkinetor, I'll remove it from my repo.

@AdmiringWorm @jtcmedia Done.
I'll now add the long awaited warning to the other outdated GPG4win packages.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Technetium1 picture Technetium1  路  4Comments

kaffeekanne picture kaffeekanne  路  4Comments

sc250024 picture sc250024  路  3Comments

jberezanski picture jberezanski  路  5Comments

Foadsf picture Foadsf  路  4Comments