Please find attached the following files:
* security-gpg4usb.shar adding this port itself
* USE_SVNREPO.patch patch adding new feature USE_SVNREPO
* poudriere log for security/gpg4usb
gpg4usb is pretty popular app, with very good reviews. Many people, who prefer GUI frontends, will find it very useful.
gpg4usb, unlike most other packages, doesn't distribute source tarballs, and only offers their source code through the public subversion repository. In order to allow FreeBSD ports work with such setup, I implemented the new generic feature USE_SVNREPO. It allows port system to check out the specific revision from the subversion repository, create the tarball locally, and proceed from there like usual.
Created attachment 154050 [details]
shar archive adding security/gpg4usb
Created attachment 154051 [details]
patch adding USE_SVNREPO feature
Created attachment 154052 [details]
Created attachment 154058 [details]
Created attachment 154059 [details]
Created attachment 154173 [details]
patch adding USE_SVNREPO feature
I'd like to request for additional feature for USE_SVNREPO -- can you make it work in a way that it would prefer using non-svn checkouts unless certain FORCE_* variable is defined? Ideally, we want the distfile be mirrored/cached so that not all installs hit the upstream svn server, and svn would only be used as a last resort.
Also I think it's probably a good idea to make this more generic framework so in the future, other SCM's can be easily added.
It looks like gpg4usb is in the process of moving to GitHub, so this isn't a good use case for USE_SVNREPO any more.
I implemented your suggestion to generalize it for different SCMs, and split it into another bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200929
Your second suggestion is pending implementation.
Hi guys, what's the status of this? Is this still a valid new port submission?
Let me review it.
This project moved from svn to github, this needs to be changed.
Please do not add GPG4USB to FreeBSD.
While it was a popular adaptation in some niche areas a few years ago, that is clearly no longer the case due to the following known issues:
1. The last stable release was in January, 2016.
2. The last update to the project repository on github, where it migrated to, was in January, 2018.
3. It only supports GnuPG 1.4.x which, as of May this year, no longer receives any updates save for the most critical security updates.
4. GnuPG 1.4.x supports deprecated OpenPGP key formats which are susceptible to a number of security flaws.
5. GnuPG 1.4.x does not provide support for elliptic curves.
6. GnuPG 1.4.x is only maintained for backwards compatibility or archive retrieval purposes, it is not intended for current use and including GPG4USB here would potentially imply that it can.
7. GPG4USB may be in breach of license with the manner of their use of GPGME as they appear to have modified GPGME itself and are themselves using the GPLv3, but we have yet to see what those modifications actually are or were.
8. GPG4USB is definitely susceptible to a number of known security issues and which have been known for at least a couple of years or more. They've also been fixed.
9. A fairly recent case raised by an end user who was unaware that GPG4USB was not part of the GnuPG Project goes into a little greater detail here:
The only other reference to this project on the GnuPG bug tracker is an unrelated matter with more to do with Unicode adoption by Microsoft or, perhaps more accurately, the incompleteness of it.
Anyway, in the interests of end user security, the GNU Privacy Guard would greatly appreciate it if you let this project die.
Ok, thanks for this information.