286046 – security/gnupg: Usage of FreePG patchset to conform to OpenPGP

Bug 286046 - security/gnupg: Usage of FreePG patchset to conform to OpenPGP

Summary: security/gnupg: Usage of FreePG patchset to conform to OpenPGP

Status:	New

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Adriaan de Groot

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-04-12 00:23 UTC by Guillem Jover
Modified:	2025-04-22 20:31 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (adridg)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Guillem Jover 2025-04-12 00:23:26 UTC

Hi!

The GnuPG project has declared it will no longer follow the OpenPGP specification going forward (specifically RFC9580), and has instead forked it into its own LibrePGP one, based on an old OpenPGP revision which had no consensus on the IETF working group. This is cause of major concern for interoperability in circles that make heavy use of OpenPGP, and among the other conformant OpenPGP implementations around. This has been called the OpenPGP schism, and has been covered in some online journals.

At least many major GNU/Linux distributions have started to patch their GnuPG packages with a subset of common patches collected by the FreePG project, that try to make downstream work easier. Those include not defaulting to LibrePGP, and changing defaults to better and more secure ones.

The FreePG project can be found at https://gitlab.com/freepg/gnupg. It would be nice if several of those patches could be picked up. AFAIUI, I think the most important ones would be all the "compliance" ones in addition to patch 0023-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch.