gnupg: Update to v2.5.19#6224
Draft
dscho wants to merge 1 commit intomsys2:masterfrom
Draft
Conversation
Member
|
I'm a bit worried since Arch isn't motivated to update and we usually wait for them. But if upstream is forcing us we kinda have to. |
This is a major version jump from the 2.4.x series to 2.5.x. The GnuPG project has promoted 2.5 to "stable" status, with 2.4.9 now labeled "oldstable" on the download page (https://gnupg.org/download/index.html). Werner Koch's release announcement for 2.5.19 explicitly states that "the old 2.4 series reaches end-of-life in just two months" and urges users to update (https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000504.html). The EOL date for 2.4 is 2026-06-30 per the GnuPG EOL table. This is a departure from Arch Linux, which still ships 2.4.9 as of this writing. Arch's gnupg maintainer has historically waited for upstream to fully stabilize major branches before upgrading, and GnuPG is particularly sensitive because pacman depends on it for package signature verification. However, with upstream now unambiguously designating 2.5.19 as the stable release and 2.4's EOL imminent, there is no reason to wait. Note that GnuPG 2.5 was initially considered a development branch. In March 2025, an earlier attempt to upgrade to 2.5.5 was abandoned for exactly this reason (git-for-windows/git#5471, msys2#5244). The promotion to stable happened around the 2.5.16 release in late December 2025. The main new features in the 2.5 series compared to 2.4 are support for Kyber (ML-KEM / FIPS-203) post-quantum cryptography encryption and improvements for 64-bit Windows. Beyond PQC, the differences from 2.4 are mostly internal, leveraging newer features from supporting libraries. Full compatibility with previous versions is maintained. The freepg patch set (https://gitlab.com/freepg/gnupg/-/tree/main) has been switched from the STABLE-BRANCH-2-4 series to the master-freepg series, which tracks the 2.5/master branch. This changes the patch numbering and composition: Patches dropped (no longer needed for 2.5): - "tests: add test cases for import without uid" (test files, test script, and Makefile.am reference are all present in 2.5.19 upstream) - "Sync compliance mode cleanup with master" (was a backport from master to 2.4; unnecessary when building master directly) - "Do not use a default when asking for another output filename" (upstreamed in GnuPG 2.5.14, see https://dev.gnupg.org/T7908) New patches added for the master series: - 0028: Revert the removal of the default keyserver - 0040: Add missing test files to EXTRA_DIST - 0041: Skip trust packets during import/restore (gpg.fail mitigation) - 0042: Compat flag to downgrade truncated-line errors to warnings - 0043: Fail on unprintable armor headers (gpg.fail mitigation) The freepg 0042 patch as distributed has a bug: it defines COMPAT_IGNORE_TRUNCATED_LINE as 32, which collides with the upstream COMPAT_ALLOW_NOT_DASH_ESCAPED flag (also 32, added in 2.5.15). This has been fixed locally by changing the value to 64. The avoid_beta_warning patch has been refreshed against the 2.5.19 autogen.sh, which has new context (a $matchexcl variable and a cid field in the non-git code path) compared to 2.4. The patch was renamed from gnupg-2.4-avoid_beta_warning.patch to gnupg-2.5-avoid_beta_warning.patch to reflect the new target version. The MSYS2-specific patch (0001-gnupg-2.2.8-msys2.patch) applies cleanly; the permission check it relaxes (S_IRWXG|S_IRWXO to S_IWGRP|S_IWOTH in the homedir validation) is unchanged in 2.5.19. The --enable-maintainer-mode configure flag has been dropped. It caused make to re-run autotools when timestamps did not match, which fails when the installed automake version differs from the one used to generate the tarball. The autogen.sh --force call in prepare() already regenerates everything needed after patches are applied, so maintainer mode is not needed. Assisted-by: Claude Opus 4.6 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Contributor
Author
Right. I also checked whether Arch was moving, and I checked whether there had been any proper announcement of the GnuPG project that they were no longer considering the v2.4/v2.5 stable/development split, but true to form they mentioned this in passing. |
|
https://lwn.net/Articles/1055053/ I heard that GnuPG 2.5 introduced a new LibrePGP protocol, which is incompatible with OpenPGP, and that's why Fedora, ... haven't updated to GnuPG 2.5 so far. Anyone knows that is it solved now? I only wish this pr would break nothing... |
Contributor
Author
|
@Master-Hash oh wow! I don't know how I missed this drama, thank you for pointing to this! In light of the backward-incompatible change, I think I'll "soft-retract" this PR by demoting it to a draft. My immediate reaction to reading up about all this drama is to consider staying with 2.4 plus patches from https://gitlab.com/freepg/gnupg... |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This upgrades GnuPG from v2.4.9 to v2.5.19, the current stable release.
Why now?
GnuPG v2.5 has been promoted from "development" to stable. The download page now labels v2.5.19 as "GnuPG (stable)" and v2.4.9 as "GnuPG (oldstable)".
Werner Koch's release announcement for v2.5.19 is explicit:
The EOL date for v2.4 is 2026-06-30, roughly two months from now.
History
GnuPG v2.5 was initially considered a development branch (odd minor version, following the Linux kernel convention). In March 2025, an earlier attempt to upgrade to v2.5.5 was abandoned for this reason, and the corresponding git-for-windows/git ticket was closed with the note that "v2.5.5 is not on the stable version train."
The promotion to stable happened around the v2.5.16 release in late December 2025. The GnuPG EOL table now lists "2.5, 2.6" together as the current Long Term Support track.
Arch Linux still ships v2.4.9 as of this writing. Their gnupg maintainer has noted that they "usually wait until Arch updates gnupg since there have been compat issues in the past." With upstream now unambiguously designating v2.5.19 as stable and v2.4's EOL imminent, there is no reason to wait for Arch to move first.
What's new in v2.5?
The headline features of the v2.5 series compared to v2.4 are:
Beyond PQC, the changes are mostly internal, leveraging newer features from supporting libraries.
Patch changes
The freepg project maintains the extra patches that both Arch and we carry. For v2.5, these come from the
master-freepgseries instead ofSTABLE-BRANCH-2-4-freepg, with different numbering.Dropped (no longer needed):
Added for the master series:
Fixed: The freepg 0042 patch as distributed defines
COMPAT_IGNORE_TRUNCATED_LINEas 32, colliding with the upstreamCOMPAT_ALLOW_NOT_DASH_ESCAPEDflag (also 32, added in v2.5.15). Fixed locally to 64.Refreshed: The
avoid_beta_warningpatch was regenerated against v2.5.19'sautogen.sh(context drift in$matchexclandcidfields) and renamed tognupg-2.5-avoid_beta_warning.patch.The MSYS2-specific patch (
0001-gnupg-2.2.8-msys2.patch) applies cleanly without modification.