Re: bin/59936: netpgpverify needs big update

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,Thomas Klausner <wiz%NetBSD.org@localhost>
Subject: Re: bin/59936: netpgpverify needs big update
From: "Thomas Klausner via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Fri, 23 Jan 2026 16:30:02 +0000 (UTC)

The following reply was made to PR bin/59936; it has been noted by GNATS.

From: Thomas Klausner <wiz%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/59936: netpgpverify needs big update
Date: Fri, 23 Jan 2026 17:26:08 +0100

 On Fri, Jan 23, 2026 at 04:05:01PM +0100, Thomas Klausner via gnats wrote:
 > - support signatures created by gpg2

 I think this particular problem might have been fixed in pkgsrc with
 riastradh's commit:

 --- begin ---

 security/netpgpverify: Handle issuer fingerprint subpackets.

 This is an extremely dodgy stop-gap measure to verify signatures
 produced by gpg2.  It does nothing to address pervasive problems in
 netpgpverify, like PR security/57449 or PR bin/59823, or even more
 narrowly scoped problems with using keyids instead of fingerprints.
 I'm a little reluctant to even commit this stop-gap because the
 problems are so bad, and a band-aid won't fix a spurting carotid.

 --- end ---

 but the other two aren't (gpg keyrings, gpg2-created keys).
  Thomas

Prev by Date: bin/59936: netpgpverify needs big update
Next by Date: Re: bin/59936: netpgpverify needs big update
Previous by Thread: bin/59936: netpgpverify needs big update
Next by Thread: Re: bin/59936: netpgpverify needs big update
Indexes:

Home | Main Index | Thread Index | Old Index