Releases retrieved: 2.5.0 Upstream release that is considered latest: 2.5.0 Current version/release in rawhide: 2.4.5-1.fc41 URL: https://gnupg.org/software/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.0-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=120044435
Created attachment 2044293 [details] Update to 2.5.0 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.0-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=122040761
Releases retrieved: 2.5.1 Upstream release that is considered latest: 2.5.1 Current version/release in rawhide: 2.4.5-3.fc41 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2046548 [details] Update to 2.5.1 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.1-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=123293641
Created attachment 2053147 [details] Update to 2.5.1 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.1-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=125095711
Created attachment 2054266 [details] Update to 2.5.1 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.1-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=125328468
Created attachment 2059731 [details] Update to 2.5.1 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.1-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=126246456
Releases retrieved: 2.5.2 Upstream release that is considered latest: 2.5.2 Current version/release in rawhide: 2.4.5-4.fc42 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2061338 [details] Update to 2.5.2 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.2-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=126542588
Releases retrieved: 2.5.3 Upstream release that is considered latest: 2.5.3 Current version/release in rawhide: 2.4.5-4.fc42 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2065277 [details] Update to 2.5.3 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.3-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=127701959
Releases retrieved: 2.5.4 Upstream release that is considered latest: 2.5.4 Current version/release in rawhide: 2.4.7-2.fc42 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2076119 [details] Update to 2.5.4 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.4-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=129173239
Releases retrieved: 2.5.5 Upstream release that is considered latest: 2.5.5 Current version/release in rawhide: 2.4.7-2.fc42 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2079272 [details] Update to 2.5.5 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.5-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=129949183
Releases retrieved: 2.5.6 Upstream release that is considered latest: 2.5.6 Current version/release in rawhide: 2.4.7-3.fc43 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2089003 [details] Update to 2.5.6 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.6-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=132458738
Created attachment 2089785 [details] Update to 2.5.6 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.6-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=132725972
Releases retrieved: 2.5.7 Upstream release that is considered latest: 2.5.7 Current version/release in rawhide: 2.4.8-2.fc43 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2092775 [details] Update to 2.5.7 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.7-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=133469397
Releases retrieved: 2.5.9, 2.5.10, 2.5.11, 2.5.12 Upstream release that is considered latest: 2.5.12 Current version/release in rawhide: 2.4.8-4.fc43 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2110350 [details] Update to 2.5.12 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.12-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=138333005
Releases retrieved: 2.5.13 Upstream release that is considered latest: 2.5.13 Current version/release in rawhide: 2.4.8-4.fc43 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2110463 [details] Update to 2.5.13 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.13-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=138358862
Releases retrieved: 2.5.14 Upstream release that is considered latest: 2.5.14 Current version/release in rawhide: 2.4.8-4.fc43 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2115284 [details] Update to 2.5.14 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.14-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=139079154
Releases retrieved: 2.5.16 Upstream release that is considered latest: 2.5.16 Current version/release in rawhide: 2.4.8-4.fc43 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2120484 [details] Update to 2.5.16 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.16-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=140500450
Created attachment 2120539 [details] Update to 2.5.16 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.16-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=140506366
Releases retrieved: 2.5.17 Upstream release that is considered latest: 2.5.17 Current version/release in rawhide: 2.4.9-4.fc44 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2123967 [details] Update to 2.5.17 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.17-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=141622907
Releases retrieved: 2.5.18 Upstream release that is considered latest: 2.5.18 Current version/release in rawhide: 2.4.9-5.fc44 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2130810 [details] Update to 2.5.18 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.18-1.fc40.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=142707691
Releases retrieved: 2.5.19 Upstream release that is considered latest: 2.5.19 Current version/release in rawhide: 2.4.9-7.fc45 URL: https://gnupg.org/download/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/1215/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2
Created attachment 2138145 [details] Update to 2.5.19 (#2296000)
the-new-hotness/release-monitoring.org's scratch build of gnupg2-2.5.19-1.fc43.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=144771432
(In reply to Upstream Release Monitoring from comment #53) > Releases retrieved: 2.5.19 > Upstream release that is considered latest: 2.5.19 > Current version/release in rawhide: 2.4.9-7.fc45 > URL: https://gnupg.org/download/ > Based on the information from Anitya: https://release-monitoring.org/project/1215/ > To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/gnupg2 [Announce] GnuPG 2.5.19 released: https://lists.gnu.org/archive/html/info-gnu/2026-04/msg00010.html Note that the old 2.4 series reaches end-of-life in just two months.
> Note that the old 2.4 series reaches end-of-life in just two months. Note, that new 2.5 series introduces non-standard LibrePGP packet format incompatible with the OpenPGP. If we want to update to 2.5, we need to make sure we won't break users, likely going by patching the librepgp bits out, such as freepg does: https://gitlab.com/freepg/gnupg
I visited this bug to +1 it as the newer versions have support for hybrid PQ algorithms that current gpg version in Fedora doesn't yet support. Non-PQ algorithms are projected to become vulnerable in the near future, and there is some reporting from cryptographer presentations that companies are storing encrypted messages so they may be decrypted later when possible. Please would you increase the priority of this ticket to publish RPMs of the 2.5 series (as it's been available for some time). Browsing the comments, I am wondering about the comment to patch the gnupg package which may contain protocol changes that the upstream GnuPG project has rejected. Do the RPM maintainers have as much expertise in making these crypto choices (from a project whose committer is named "Hooty McOwlface" -- it's not clear if that's a real name) as the upstream GnuPG developers and the opposing OpenPGP RFC editors? If a package is called gnupg, a user expects its implementation to closely match its upstream project. Otherwise perhaps it's best released as a separate "freepg" package. Package users will expect GnuPG to follow LibrePGP as the upstream authors state on their website, and downstream protocol modifications in the RPM would be unexpected. Why is there no consensus with upstream GnuPG over https://gitlab.com/freepg/gnupg/-/blob/main/DIFF.md many of which appear to be sensible? Do the GnuPG developers have some good reason not to merge them upstream?
> If we want to update to 2.5, we need to make sure we won't break users, likely going by patching the librepgp bits out, such as freepg does: You may also want to ponder about what will break things for users: * LibrePGP states it is backwards-compatible with RFC4880. * Can GnuPG 2.5 not accept effects generated by GnuPG 2.4? * If any FreePG patches are applied, would that break compatibility with upstream GnuPG 2.5 users that non-Fedora users may be using unmodified? I suggest asking the upstream GnuPG project about this and what they suggest. This would be the best as they are the upstream.
> * LibrePGP states it is backwards-compatible with RFC4880. I retract this. I wrote this remembering reading it somewhere, but I am not able to find a reference now.
> Non-PQ algorithms are projected to become vulnerable in the near future, and there is some reporting from cryptographer presentations that companies are storing encrypted messages so they may be decrypted later when possible. Do you use OpenPGP encrypted messages over the internet that could be stored and decrypted later? > Do the RPM maintainers have as much expertise in making these crypto choices (from a project whose committer is named "Hooty McOwlface" -- it's not clear if that's a real name) as the upstream GnuPG developers and the opposing OpenPGP RFC editors? If you are referring to the FreePG project, yes, these are mostly downstream developers with OpenPGP expertise as you can see on the freepg gitlab -- no RPM involved here. I do not see any opposition to RFC editors -- the FreePG project is solemnly preventing users to shoot themselves into their feet by using non-standard LibrePGP artifacts (by default). Updating to 2.5 will allow using them, but they will not be compatible with OpenPGP PQC, which is a problem. > Why is there no consensus with upstream GnuPG over https://gitlab.com/freepg/gnupg/-/blob/main/DIFF.md many of which appear to be sensible? Do the GnuPG developers have some good reason not to merge them upstream? The best would be to ask the upstream. I think all or most of the patches will have some upstream issue where it was rejected for various reasons (up to the reader to figure out if they are sensible or not). > * Can GnuPG 2.5 not accept effects generated by GnuPG 2.4? It can, but no other software in the world can accept artifacts generated by GnuPG 2.5 (except for RNP), regardless of the exagerated list of supported software. And no GnuPG can accept OpenPGP PQC artifacts, which is also the problem. > I suggest asking the upstream GnuPG project about this and what they suggest. This would be the best as they are the upstream. Feel free to do so. They would suggest upgrading to 2.5, because thats their project. They do that by forcibly obsoleting the 2.4 version and forcing users to upgrade. But Fedora is not their project and our aim is to support IETF standard that are published by the OpenPGP working group and not individual drafts published by individuals to keep the ecosystem together, rather than breaking it into incompatible islands.
Hi Jakub (In reply to Jakub Jelen from comment #61) > > Non-PQ algorithms are projected to become vulnerable in the near future, and there is some reporting from cryptographer presentations that companies are storing encrypted messages so they may be decrypted later when possible. > > Do you use OpenPGP encrypted messages over the internet that could be stored > and decrypted later? OpenPGP (gpg 2.4) is used to encrypt files in my workplace such as files containing shared passwords, personal identification documents, financial management reports, and these do travel over the internet. The point is not whether it goes over the internet or not or whether we are so important or not; as the files may not be secure, we want to adopt PQ hybrid algorithms. From your comment I don't follow if you're doubting whether we need it. As an analogy, OpenSSH defaults to "KexAlgorithms mlkem768x25519-sha256,..." currently on Fedora in /etc/crypto-policies/back-ends/opensshserver.config (although that's for KEX, but the reason is similar). > > Do the RPM maintainers have as much expertise in making these crypto choices (from a project whose committer is named "Hooty McOwlface" -- it's not clear if that's a real name) as the upstream GnuPG developers and the opposing OpenPGP RFC editors? > > If you are referring to the FreePG project, yes, these are mostly downstream > developers with OpenPGP expertise as you can see on the freepg gitlab -- no > RPM involved here. > > I do not see any opposition to RFC editors -- the FreePG project is solemnly > preventing users to shoot themselves into their feet by using non-standard > LibrePGP artifacts (by default). Updating to 2.5 will allow using them, but > they will not be compatible with OpenPGP PQC, which is a problem. > > > Why is there no consensus with upstream GnuPG over https://gitlab.com/freepg/gnupg/-/blob/main/DIFF.md many of which appear to be sensible? Do the GnuPG developers have some good reason not to merge them upstream? > > The best would be to ask the upstream. I think all or most of the patches > will have some upstream issue where it was rejected for various reasons (up > to the reader to figure out if they are sensible or not). > > > * Can GnuPG 2.5 not accept effects generated by GnuPG 2.4? > > It can, but no other software in the world can accept artifacts generated by > GnuPG 2.5 (except for RNP), regardless of the exagerated list of supported > software. And no GnuPG can accept OpenPGP PQC artifacts, which is also the > problem. > > > I suggest asking the upstream GnuPG project about this and what they suggest. This would be the best as they are the upstream. > > Feel free to do so. They would suggest upgrading to 2.5, because thats their > project. They do that by forcibly obsoleting the 2.4 version and forcing > users to upgrade. But Fedora is not their project and our aim is to support > IETF standard that are published by the OpenPGP working group and not > individual drafts published by individuals to keep the ecosystem together, > rather than breaking it into incompatible islands. You've made a comment about the gnupg RPM deviating from upstream GnuPG in protocol. I understand you want to match an IETF standards process RFC, instead of an independent submission RFC that LibrePGP looks to become, and that's a choice for Fedora if it wants to make it. But is it fair to continue to call that fork gnupg when it deviates in protocol from upstream GnuPG? If Fedora wants to follow FreePG, then would preparing a different freepg package not be better so there's no surprise to users that it's not following LibrePGP when that's what the upstream website and documentation would say? But I do see from freepg.org that these patches are being adopted into all the popular distributions' gnupg packages, so I don't have more to say than to wait and see what is available in the Fedora packaged gpg. Please do try to release a 2.5 version RPM soon so we can try the available PQ algorithms.
Can you answer one more question please: If the FreePG patches are adopted in Fedora gnupg and the OpenPGP RFC standard behavior is used by default, will encrypted messages/files created by Fedora gnupg be usable by upstream Windows versions of Gpg4win? I ask because I email encrypted files out to our auditors. Would any new CLI options be required to make Fedora gnupg interoperate with Gpg4win?
> OpenPGP (gpg 2.4) is used to encrypt files in my workplace such as files containing shared passwords, personal identification documents, financial management reports, and these do travel over the internet. The point is not whether it goes over the internet or not or whether we are so important or not; as the files may not be secure, we want to adopt PQ hybrid algorithms. From your comment I don't follow if you're doubting whether we need it. As an analogy, OpenSSH defaults to "KexAlgorithms mlkem768x25519-sha256,..." currently on Fedora in /etc/crypto-policies/back-ends/opensshserver.config (although that's for KEX, but the reason is similar). For SSH/TLS the data travels over the internet implicitly, which makes them inherently more vulnerable. If you pass OpenPGP encrypted data over different channel, such as email (encrypted in TLS channel) or intranet, risk is much smaller, but I agree that its still there and its good to look into that! Unfortunately, the GnuPG does not have any configuration like this so its quite pain to make it use something by default (even for the reasons how the protocol works). If you are aiming for the Ggp4win compatibility, using gnupg 2.5 is likely the way, but obviously with the caveat it wont be compatible with other OpenPGP software. Other option might be looking into other OpenPGP software. > If the FreePG patches are adopted in Fedora gnupg and the OpenPGP RFC standard behavior is used by default, will encrypted messages/files created by Fedora gnupg be usable by upstream Windows versions of Gpg4win? I ask because I email encrypted files out to our auditors. Would any new CLI options be required to make Fedora gnupg interoperate with Gpg4win? The Gpg4win is basically just a GnuPG packaged for windows, which is already following the LibrePGP standard. At this moment, the GnuPG is generating only the pre-PQC OpenPGP artifacts so at this moment anything that is generated by GnuPG 2.4 is readable by Gpg4Win. The FreePG patches do not remove support for LibrePGP, but just do not enable it by default. That said, if one wants to use librePGP, they can with `--compliance=gnupg`, for example: https://gitlab.com/freepg/gnupg/-/blob/main/master-freepg/0024-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch?ref_type=heads I think there is no implementation for the OpenPGP PQC yet either as it would be much larger feat to do. Thank you for your interest! I am pondering around this and searching for a good solution for last couple of years. And I am still not sure what it will be. Using FreePG updated to 2.5 branch will be likely way to go as nobody would accidentally use incompatible implementation, but people who know what they are doing can use the PQC out of the box.
What are other distributions (Debian, SUSE, Arch, Gentoo, ...) doing ?
Hi Jakub Thank you for the kind answers. (In reply to Jakub Jelen from comment #64) > For SSH/TLS the data travels over the internet implicitly, which makes them > inherently more vulnerable. If you pass OpenPGP encrypted data over > different channel, such as email (encrypted in TLS channel) or intranet, > risk is much smaller, but I agree that its still there and its good to look > into that! A couple of other ways in which the files may not have another underlying PQ-secure layer such as SSH/TLS: * The vendors receive email on their company's DNS domain with file attachments, but in many cases their email provider is Gmail or Outlook. In such cases, Google/Microsoft have access to the encrypted file attachment directly which they store. * Some encrypted files (e.g., ID documents) are stored in git repositories accessed over SSH. OpenSSH has the mklem+ keyexchange, but Gerrit's SSH currently does not. In our case, Gerrit is inside the VPN which is PQ hardened, but others who use Gerrit over the public internet may not have this additional transport security. > > Unfortunately, the GnuPG does not have any configuration like this so its > quite pain to make it use something by default (even for the reasons how the > protocol works). > > If you are aiming for the Ggp4win compatibility, using gnupg 2.5 is likely > the way, but obviously with the caveat it wont be compatible with other > OpenPGP software. Other option might be looking into other OpenPGP software. > > > If the FreePG patches are adopted in Fedora gnupg and the OpenPGP RFC standard behavior is used by default, will encrypted messages/files created by Fedora gnupg be usable by upstream Windows versions of Gpg4win? I ask because I email encrypted files out to our auditors. Would any new CLI options be required to make Fedora gnupg interoperate with Gpg4win? > > The Gpg4win is basically just a GnuPG packaged for windows, which is already > following the LibrePGP standard. At this moment, the GnuPG is generating > only the pre-PQC OpenPGP artifacts so at this moment anything that is > generated by GnuPG 2.4 is readable by Gpg4Win. > > The FreePG patches do not remove support for LibrePGP, but just do not > enable it by default. That said, if one wants to use librePGP, they can with > `--compliance=gnupg`, for example: > > https://gitlab.com/freepg/gnupg/-/blob/main/master-freepg/0024-gpg-Emit- > LibrePGP-material-only-in-compliance-gnupg.patch?ref_type=heads > > I think there is no implementation for the OpenPGP PQC yet either as it > would be much larger feat to do. > > Thank you for your interest! I am pondering around this and searching for a > good solution for last couple of years. And I am still not sure what it will > be. Using FreePG updated to 2.5 branch will be likely way to go as nobody > would accidentally use incompatible implementation, but people who know what > they are doing can use the PQC out of the box. Thank you for this Jakub. It's much appreciated.
s/mklem\+/mlkem768x25519-sha256/
Hi Xose (In reply to Xose Vazquez Perez from comment #65) > What are other distributions (Debian, SUSE, Arch, Gentoo, ...) doing ? There is some commentary on this page: https://freepg.org/ (see under usage)