Bug 198449

Summary: [NEW PORT] security/gpg4usb: GUI frontent for GnuPG
Product: Ports & Packages Reporter: Yuri Victorovich <yuri>
Component: Individual Port(s)Assignee: Yuri Victorovich <yuri>
Status: Closed Not Accepted    
Severity: Affects Only Me CC: ben, delphij, portmgr, ultima
Priority: --- Keywords: needs-qa, patch
Version: Latest   
Hardware: Any   
OS: Any   
Bug Depends on:    
Bug Blocks: 200929    
Attachments:
Description Flags
shar archive adding security/gpg4usb
none
patch adding USE_SVNREPO feature
none
poudriere log
none
poudriere log
none
patch
none
patch adding USE_SVNREPO feature none

Description Yuri Victorovich freebsd_committer 2015-03-09 11:45:51 UTC
Please find attached the following files:
* security-gpg4usb.shar adding this port itself
* USE_SVNREPO.patch patch adding new feature USE_SVNREPO
* poudriere log for security/gpg4usb

gpg4usb is pretty popular app, with very good reviews. Many people, who prefer GUI frontends, will find it very useful.

gpg4usb, unlike most other packages, doesn't distribute source tarballs, and only offers their source code through the public subversion repository. In order to allow FreeBSD ports work with such setup, I implemented the new generic feature USE_SVNREPO. It allows port system to check out the specific revision from the subversion repository, create the tarball locally, and proceed from there like usual.
Comment 1 Yuri Victorovich freebsd_committer 2015-03-09 11:46:47 UTC
Created attachment 154050 [details]
shar archive adding security/gpg4usb
Comment 2 Yuri Victorovich freebsd_committer 2015-03-09 11:47:44 UTC
Created attachment 154051 [details]
patch adding USE_SVNREPO feature
Comment 3 Yuri Victorovich freebsd_committer 2015-03-09 11:48:47 UTC
Created attachment 154052 [details]
poudriere log
Comment 4 Yuri Victorovich freebsd_committer 2015-03-09 12:12:21 UTC
Created attachment 154058 [details]
poudriere log
Comment 5 Yuri Victorovich freebsd_committer 2015-03-09 12:12:50 UTC
Created attachment 154059 [details]
patch
Comment 6 Yuri Victorovich freebsd_committer 2015-03-11 00:02:17 UTC
Created attachment 154173 [details]
patch adding USE_SVNREPO feature
Comment 7 Xin LI freebsd_committer 2015-06-17 04:17:35 UTC
Hi,

I'd like to request for additional feature for USE_SVNREPO -- can you make it work in a way that it would prefer using non-svn checkouts unless certain FORCE_* variable is defined?  Ideally, we want the distfile be mirrored/cached so that not all installs hit the upstream svn server, and svn would only be used as a last resort.

Also I think it's probably a good idea to make this more generic framework so in the future, other SCM's can be easily added.
Comment 8 Yuri Victorovich freebsd_committer 2015-06-17 06:13:40 UTC
It looks like gpg4usb is in the process of moving to GitHub, so this isn't a good use case for USE_SVNREPO any more.

Xin LI,

I implemented your suggestion to generalize it for different SCMs, and split it into another bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200929

Your second suggestion is pending implementation.

Yuri
Comment 9 VK freebsd_triage 2016-05-23 01:01:36 UTC
Hi guys, what's the status of this? Is this still a valid new port submission?
Comment 10 Yuri Victorovich freebsd_committer 2016-05-23 02:13:04 UTC
Let me review it.
Comment 11 Richard Gallamore freebsd_committer 2017-06-11 00:11:28 UTC
This project moved from svn to github, this needs to be changed.
https://github.com/gpg4usb/gpg4usb
Comment 12 Ben McGinnes 2018-11-06 04:53:04 UTC
Please do not add GPG4USB to FreeBSD.

While it was a popular adaptation in some niche areas a few years ago, that is clearly no longer the case due to the following known issues:

 1. The last stable release was in January, 2016.
 2. The last update to the project repository on github, where it migrated to, was in January, 2018.
 3. It only supports GnuPG 1.4.x which, as of May this year, no longer receives any updates save for the most critical security updates.
 4. GnuPG 1.4.x supports deprecated OpenPGP key formats which are susceptible to a number of security flaws.
 5. GnuPG 1.4.x does not provide support for elliptic curves.
 6. GnuPG 1.4.x is only maintained for backwards compatibility or archive retrieval purposes, it is not intended for current use and including GPG4USB here would potentially imply that it can.
 7. GPG4USB may be in breach of license with the manner of their use of GPGME as they appear to have modified GPGME itself and are themselves using the GPLv3, but we have yet to see what those modifications actually are or were.
 8. GPG4USB is definitely susceptible to a number of known security issues and which have been known for at least a couple of years or more.  They've also been fixed.
    
 9. A fairly recent case raised by an end user who was unaware that GPG4USB was not part of the GnuPG Project goes into a little greater detail here:

    https://dev.gnupg.org/T3963

The only other reference to this project on the GnuPG bug tracker is an unrelated matter with more to do with Unicode adoption by Microsoft or, perhaps more accurately, the incompleteness of it.

Anyway, in the interests of end user security, the GNU Privacy Guard would greatly appreciate it if you let this project die.
Comment 13 Yuri Victorovich freebsd_committer 2018-11-06 05:03:36 UTC
Ok, thanks for this information.