Quoting Kai Wasserbäch (debian@carbon-project.org):
> Hello,
> on the 1st of April I wrote an e-mail to James Troup offering my help in hunting

You shouldn't have done this on 1st of April as you could then have
received an answer.

> So my question is: Is James known to be inactive? Are there others currently on


There are rumours about that, yes. Maybe a package hijack could be
attempted by someone who's lucky enough to have his|her key in the
keyring.

On Wed, Apr 16, 2008 at 04:49:50PM +0200, Christian Perrier wrote:
>
> There are rumours about that, yes. Maybe a package hijack could be
> attempted by someone who's lucky enough to have his|her key in the
> keyring.
>

... and still have it after that upload :-P

--
Francesco P. Lovergine


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Michael Banck wrote:
> On Wed, Apr 16, 2008 at 02:19:12PM +0200, Kai Wasserbäch wrote:
>> on the 1st of April I wrote an e-mail to James Troup offering my help in hunting
>> down open bugs which are no longer present an thus enabling him to concentrate
>> on packaging GnuPG 1.4.9. But his last action regarding this package is well
>> over an year old and the only updates I can see in the PTS were made by the
>> Security Team. And before I forget to write it: I didn't receive an answer.
>> So my question is: Is James known to be inactive? Are there others currently on
>> the task to get a new version (upstream has 1.4.9) into Debian? Is there
>> anything I can help (I'm certainly not suitable as a maintainer for that package
>> myself, because it's too essential to be entrusted to someone who is unknown to
>> (nearly) all people on this list) with, e.g. by triaging bugs?
>
> I guess triaging bugs (i.e. marking bugs which have been fixed upstream
> in newer versions as "fixed-upstream" or mention bugs which can be
> closed already cause they are fixed in the current version in the
> appropriate bug (CCing the submitter, so they can possibly close it
> themselves) is always welcome, regardless of any other action or
> non-action by the maintainer.

gnupg is very important and unmaintained for all practical purposes.
It should be hijacked and brought into shape for Lenny.

Cheers,
Moritz


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 16/04/08 at 17:08 +0200, Francesco P. Lovergine wrote:
> On Wed, Apr 16, 2008 at 04:49:50PM +0200, Christian Perrier wrote:
> > There are rumours about that, yes. Maybe a package hijack could be
> > attempted by someone who's lucky enough to have his|her key in the
> > keyring.
>
> ... and still have it after that upload :-P

You are probably joking.

But if a member of a team with some special rights on the Debian
infrastructure (ab)used his/her rights to remove a key from the keyring,
or to prevent access to Debian resources, for no valid reason or without
a proper procedure, I'm sure that many developers would loudly protest
and wouldn't let that happen.
--
| Lucas Nussbaum
| lucas@lucas-nussbaum.net http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr GPG: 1024D/023B3F4F |


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Wed, Apr 16, 2008 at 09:33:32PM +0200, Lucas Nussbaum wrote:
> On 16/04/08 at 17:08 +0200, Francesco P. Lovergine wrote:
> > On Wed, Apr 16, 2008 at 04:49:50PM +0200, Christian Perrier wrote:
> > > There are rumours about that, yes. Maybe a package hijack could be
> > > attempted by someone who's lucky enough to have his|her key in the
> > > keyring.
> >
> > ... and still have it after that upload :-P
>
> You are probably joking.
>

Of course yes, isn't that evident?

--
Francesco P. Lovergine


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Am Mittwoch, den 16.04.2008, 14:19 +0200 schrieb Kai Wasserbäch:

> on the 1st of April I wrote an e-mail to James Troup offering my help in hunting
> down open bugs which are no longer present an thus enabling him to concentrate
> on packaging GnuPG 1.4.9. But his last action regarding this package is well
> over an year old and the only updates I can see in the PTS were made by the
> Security Team. And before I forget to write it: I didn't receive an answer.
> So my question is: Is James known to be inactive? Are there others currently on
> the task to get a new version (upstream has 1.4.9) into Debian?

I tried to get into it after I found, that several issues were fixed.
You can find some tagging and commenting by my person at the BTS. But
for known reasons (told it on the planet), I'm currently busy and
offline.

However: We should REALLY give more love to this package. I mean, there
is a very active and helpful upstream, but an inactive maintenance which
lead to >130 open bug report. I don't think, that upstream will keep up
taking care of bug reports in the Debian BTS with this amount of
reports. We should try to track down issues and decrease the amount of
open bug reports to keep the good relationship to upstream. I hope, you
understand, what I want to say. I mean: having such an upstream is a
very fortunate situation.

> Is there
> anything I can help (I'm certainly not suitable as a maintainer for that package
> myself, because it's too essential to be entrusted to someone who is unknown to
> (nearly) all people on this list) with, e.g. by triaging bugs?
>
> Should this question already have been discussed somewhere, please point me to it.

Here is, what I found out yet after a short look (just a c&p):

*** Main:
452118: new upstream release

*** Fixed in 1.4.7 and newer:
201589: Removed shutdown code in util/http.c and fix http_proxy (739)
402592: Limit bytes read for an unknown alogorithm
412508,
420613: Build changes to fully evaluate paths
431828: Decrypt multiple files and not just the first

*** Maybe fixed 1.4.7 and newer:
...

*** Fixed in older releases:
72148: will deadlock with no timeout if keyserver cannot close socket (151)
137381: http_proxy support (361)
146345: gnupg: Can't restrict access to secring.gpg (--enable-selinux-support)

*** Maybe fixed in older releases (needs to be verified):
166794,
172823: --search leads to segfault

*** Forward candidates:
58260,
317654: remove existing lockfiles

*** Wontfix candidates (upstream rejected without final notice or candidate):
310805: gnupg: fully exportable armored homedir is completely impossible now!
162742: gnupg: Please handle "deprecated option honor-http-proxy"

*** Close candidate (upstream rejected change):
185782: `--batch --output existingfile' outputs nothing and exits 0
196681: gnupg: gpg says /dev/null@alea isn't a valid email address

*** Maybe is addressed (patch exists somehow and somewhere):
262467: 16_min_privileges breaks gpg on kernels without capabilities

*** Maybe should be addressed:
130363: gnupg: Duplicate key is handled as error (upstream)
133923: gnupg: Reports bug on --list-keys

*** Debian package related (to fix with update):
357267: conditional libcap-dev dependency
399092: debian/gzip.1 manpage
399167: ldap -> recommends
453122: not suid-root

> Thank you in advance for your reply(s).

HTH
(will be back during mid of May and I'm willing to help)

Regards, Daniel