I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

After that migrates to testing next week, I want to make
the switch: APT by default should use gpgv-sq. Previous
discussions with the security team did not reveal any
blockers for that, despite the strenuous nature of
security updates for Rust packages.

My plan here is to use

Depends: gpgv-from-sq | gpgv-sq | gpgv
Recommends: gpgv-sq

To do 2 things:

1) The Depends will install gpgv-from-sq on new systems. The
gpgv-from-sq package diverts /usr/bin/gpgv to gpgv-g10code
and Provides gpgv, installing a symlink to gpgv-sq.

This ensures that while switching to gpgv-sq, the default
bootstrap does not change in exposed functionality: There
is a /usr/bin/gpgv available.

This does not affect existing systems, as the dependency
is already satisfied by the gpgv alternative.

An optimal mechanism would instea

2) The Recommends ensures that the signature verification
as used by APT is changed, as APT also will prefer gpgv-sq
over gpgv if installed.

This means existing systems will have two gpgv implementations:

- /usr/bin/gpgv from GnuPG
- /usr/bin/gpgv-sq from Sequioa

This is not necessarily the best outcome. We could change
it to gpgv-from-sq as well, such that systems remain with
a single /usr/bin/gpgv. I don't particularly like the idea
of forcing a software change on users, but in the sense of
two systems behaving the same way that of course would be
preferable.

As for ports without gpgv-sq, this does not affect them,
they can be served by the gpgv alternative. Once a gpgv-sq
is available, it's important to note that no migration happens
for them: APT does not install Recommends that were previously
unsatisfied.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmc/lREACgkQb6RY3R2w P3EqRg/+MPyJVyrqLkxJqU1ipvKDPyoPQJ/jvjwcL96A+4GbhbMAJuqh9CgIL7o7 +DHfrA8diMcENd6DL21gNdMx1GRXBsLfxphnk8qD3e7s+4JjfcjOMHYnN2QD4/q5 q3xXNI44KnzQjqdRbCpcCI1yD5HCBCCBarB+VDQAgecWH01gNLhDB3gWm7Oz4z/M UsxK9tFWqzwglhYQ3yJkQFO+PFUKQHVeCLYLPT83TmicT+//0M6ZtEy/0RHF8qKn OGDXlLfICmEDtOLTL3kUWXERHwtIlQJCIp21J0oGrsjgksHz+tU56+HqAKA6CJyh QnnreMGLDyjstxuub+jm6HR24GK9a35BxqIEkpICqpyaJgkwamVZG2mnAINjQgJQ Y4dnbM8X7j654qVUEg4yD7Z73ecvVCujsA22s4unJG/pol9/dzWog9GTdLAfvyks L5y6HFM6J/b9CwHZn6ORrLGLh1E4BUjbNJr6y2Sq06lXG/8oIoFtSgB9YmiNBqtl KSzcSbVup0EylJvrVZ09stjqqOGQESWKxc7PMN/O9EuR9VYKFFX5htr+RYSJ/ZLn HTUaISW52KcxnCDTN164s3lo6EJlIS9bg0cLlZjtAQSFu4pAoZTDK6/7aQAysER8 tyjSk4h2KiCmgP731dhq/3RAvo/LeEw3F890YwBzOEsKofPeMhc=
=uVO/
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Ori

On 21/11/24 21:16, Julian Andres Klode wrote:

1) The Depends will install gpgv-from-sq on new systems. The
gpgv-from-sq package diverts /usr/bin/gpgv to gpgv-g10code
and Provides gpgv, installing a symlink to gpgv-sq.

Unrelated to the apt proposal, how come dpkg-divert is being used here
by gpgv-from-sq instead of using the what-is-python/python-is-pythonX
approach of just shipping a symlink?

The python-is-pythonX approach is much simpler, fully declarative (as
in: the future state of the system is statically described by the
content of the package, not at runtime), and removes the need for the maintscripts to know about the other implementations.

Regards,

--
Gioele Barabucci

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 11/22/24 05:49, Gioele Barabucci wrote:

Unrelated to the apt proposal, how come dpkg-divert is being used here
by gpgv-from-sq instead of using the what-is-python/python-is-pythonX approach of just shipping a symlink?

Because there is no coordination between gpgv and gpgv-sq packages, and dependent packages should have no reason to care. gpgv-sq unilaterally
claims compatibility, and if something breaks as a result, that is a bug
in gpgv-sq, because the interface of gpgv is defined by the g10code implementation.

The python-is-pythonX approach is much simpler, fully declarative (as
in: the future state of the system is statically described by the
content of the package, not at runtime), and removes the need for the maintscripts to know about the other implementations.

The python-is-pythonX approach is for *incompatible* changes, where
depending packages have a need to specify which version they expect to
use, and introducing indirect conflicts is acceptable because it cannot
be avoided.

Simon

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-11-21 21:16:20, Julian Andres Klode wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

Excuse my ignorance, but what is gpgv-sq/Sequoia? I just saw very
recently the package name (like, two days ago), and while the
description says "it is an alternative implementation", that doesn't say
what's the context here.

I'm not happy with the heavyness that one gets via gpg just for
verifying signatures, so I'd be all for a lighter-weight solution.

I found https://lwn.net/Articles/830902/ which explains what Sequoia is,
but in Debian, is there a bigger plan for GnuPG -> Sequoia, or just
piecemeal adoption?

thanks!
iustin

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Nov 21, Julian Andres Klode <jak@debian.org> wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

OK, but why?

Did you make an analysis of how much the size of a minimal system would change?

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCZz+5tgAKCRDLPsM64d7X gRrQAQDC/KodOEIqtN9DCpSI0Avt1S/V+aQImGZldFBuEthVEQD9HgNG//cb7BNx g3wl9HC8riQFcaPnQn3jIpi0BFOoeAs=
=5EoV
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 22, 2024 at 06:46:10AM +0900, Simon Richter wrote:

Because there is no coordination between gpgv and gpgv-sq packages,

that's not entirely true.

and
dependent packages should have no reason to care. gpgv-sq unilaterally
claims compatibility, and if something breaks as a result, that is a bug in gpgv-sq, because the interface of gpgv is defined by the g10code implementation.

this is true.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

It's not climate change nor climate crisis, it's climate disaster.

-----BEGIN PGP SIGNATURE-----

iQIyBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmc/0S0ACgkQCRq4Vgaa qhzczw/3YyiraEl0hJjjd1A6/z/lNybauEOApepAus7GX9QCOo+LMjDtnO+8MQos clXrtZZvEfAUE6JecG4dVy22Uhj/pz/5G8J1CnAGl9eJFZpuCxMMnB4MneKDEhs1 oiaZmISpCfrEd1LclJQp35KaeMItsOl5xBTLPgxQkYoDgL3zQk74JQAfRnZhUE6I mEVIAR95ZeZMRDlacnsyaaAF499Uc7ZjciC2rrw2wAAs9T0u8fNrzcPPcebJ2csI 7Bb5SW/6Y7pYkPZdaIiwNSl7C3Js//Jd4kkdo7Yw6qQyZaAaHjbOLMq/YYZ+3t3l h2mLR3edbmaA81dJTwX5WfbLPhTmEvuUF4O7zC3Yk5g7ysKEGJ3PplH7ONz0dEhF VjqFuwexNShfXNifzlEsYXwvozMS4pJiifymXlsJU36ZM435kPeUEej8GRCozXV2 19G2dOxEjiwX7nrJVwzrS51cchldZduAalbVFRCTDr8Il3dfNR/N33RfbMHd6zqd AxlCb6tS3wiUO8SF/qU6nPGAcPrUxotNIwIpjxYxv5xLsIeMODE4ht66N0nt1FKP yP4L0aWf7dcWHO/ocm2TifXaGWcP8jhw7hV4gpJJsi+Xyf

On 11/21/24 15:19, Iustin Pop wrote:

I'm not happy with the heavyness that one gets via gpg just for
verifying signatures, so I'd be all for a lighter-weight solution.

gpgv is lighter weight than gpgv-sq. Surprisingly, it's not just
the rustc-static-links-everything problem, since gpgv-static is
also smaller than gpgv-sq.

Antonio

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-11-21 Julian Andres Klode <jak@debian.org> wrote:
[...]

An optimal mechanism would instea

[...]

Something seems to be missing here.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 22, 2024 at 11:55:10AM +0100, Andreas Metzler wrote:

On 2024-11-21 Julian Andres Klode <jak@debian.org> wrote:
[...]

An optimal mechanism would instea

[...]

Something seems to be missing here.

cu Andreas

Apologies, I started that thought and didn't quite finish it
and forgot it was still there when sending.

It's a bit surprising perhaps for users if they start with
gpgv-from-sq in the debootstrap, then later they manually
install gpgv, and /usr/bin/gpgv still points to gpgv-sq
due to the divert.

But on the other hand, we do need co-installability,
otherwise the test suite of apt can't test both :D
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 21, 2024 at 06:25:11PM -0700, Antonio Russo wrote:

On 11/21/24 15:19, Iustin Pop wrote:

I'm not happy with the heavyness that one gets via gpg just for
verifying signatures, so I'd be all for a lighter-weight solution.

gpgv is lighter weight than gpgv-sq. Surprisingly, it's not just
the rustc-static-links-everything problem, since gpgv-static is
also smaller than gpgv-sq.

That's correct due to some overlinking in the Rust toolchain,
there needs to be some more crate splitting to make it smaller.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Nov 21, 2024 at 11:52:38PM +0100, Marco d'Itri wrote:

On Nov 21, Julian Andres Klode <jak@debian.org> wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

OK, but why?

Did you make an analysis of how much the size of a minimal system would change?

We currently see a size increase of 8% (9MB uncompressed, 4MB gzipped) in an essential + apt bootstrap:

$ mmdebstrap --variant=essential --include=apt unstable unstable.tar
$ mmdebstrap --variant=essential --include=gpgv-from-sq,apt,gpgv- unstable unstable-with-sq.tar
$ $ ls -lh unstable*.tar
-rw-r--r-- 1 jak jak 114M Nov 22 13:39 unstable.tar
-rw-r--r-- 1 jak jak 123M Nov 22 13:39 unstable-with-sq.tar
$ gzip unstable*.tar
$ ls -lh unstable*.tar*
-rw-r--r-- 1 jak jak 46M Nov 22 13:39 unstable.tar.gz
-rw-r--r-- 1 jak jak 50M Nov 22 13:39 unstable-with-sq.tar.gz
$ diff <(tar xOf unstable.tar.gz ./var/lib/dpkg/status | grep ^Package\\\|Installed-Size) <(tar xOf unstable-with-sq.tar.gz ./var/lib/dpkg/status | grep ^Package\\\|Installed-Size) -U0
diff --git dev/fd/63 dev/fd/62
--- dev/fd/63
+++ dev/fd/62
@@ -29,2 +29,4 @@ Installed-Size: 109
-Package: gpgv
-Installed-Size: 509
+Package: gpgv-from-sq
+Installed-Size: 14
+Package: gpgv-sq
+Installed-Size: 8167
@@ -110,0 +113,2 @@ Installed-Size: 368
+Package: libsqlite3-0
+Installed-Size: 1833

There are a bunch of toolchain/crate-splitting issues here: Rust
overlinks, neither do we use all 8MB of the code that's linked
into gpgv-sq, nor does it actually need libsqlite3-0. This happens
because gpgv-sq uses gpg-sq crate, if they were split up, things
should go down quite a bit is my understanding.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmdAfrQACgkQb6RY3R2w P3Gklw/+PyvKgb747viu67U5Wrxsl59pB1Wxbq2BK2qWey51aizI3eJawtQRmi5I 7dsytS48h/8Z7TC3ZquhiVDsmLtDuR9dTpz4/Pj2+w+uTJOZW5h5kAFBfh8hHB+b Fsqn4XfnyceFrlUuk9qknOuAJMaAkQ2Yaq13VCu7YnycI3zwfU0yZ

On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

After that migrates to testing next week, I want to make
the switch: APT by default should use gpgv-sq. Previous
discussions with the security team did not reveal any
blockers for that, despite the strenuous nature of
security updates for Rust packages.

I have been informed I did not include the reasons and it's become
clear not everyone already knows the background here:

1. The GnuPG upstream forked the OpenPGP standard into his own
thing called LibrePGP, and GnuPG 2.4 implements that new thing
and is by default incompatible with other OpenPGP implementations.

2. GnuPG 2.4 is in experimental and patching out the LibrePGP
stuff is kind of necessary for it to be acceptable for release.

3. GnuPG 2.2 which is in unstable reaches its end of life in a couple
of weeks.

4. The GnuPG implementation quality has issues, such as silently
ignoring options not relevant to the current operation/mode,
producing no clear errors on expired signatures (they show
up as valid, just not as "good", but not as "bad" either),
and some features are very much unsafe, for example, the
new --assert-pubkey-algo feature accepts
<operator><name><size>
as the syntax, so it looks at >=ed448 and accepts ed25519
as being stronger because 25519 >= 448, whereas it is
the weaker curve.

Switching to gpgv-sq gets us out of this hole now while
we are waiting for the Stateless OpenPGP standard and
implementations of it to mature such that we can switch
to sqopv (| rsopv | sopv-gpgv | gosop).

Also it's written in a memory safe language which might make
the OpenPGP packet parsing safer :D

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmdAgV0ACgkQb6RY3R2w P3EyBxAAkTHslqocMVuy5hwxD8td6pFC98SEKjC8PodYM73y3GZg7yiUh0MCSkG4 3UPELthhtxkTUPj6h2of89JqJEu/BB+qJc/6U6FcmaVfeDRqYPqrcMnTmcHPNrRk PQ0T3nzWRm8+6pAa5m/quWI01dIwGCHs1ecM+Fi5DwpilDPiiDUcLqk2BJpcyuQY HBNJCk+fpEqBsC3QUFoKPW9rTDQZYxo2WnMb5rcAkkFye8pCRl14PIFKm1FQFRyR Wt7AF1q3EozS8AZJC/3iTIMGkJeojJ3oCeJwWGd+tnqW+gf8W6WZBvmCscIyjT2j Iy/sD+jyLSHj0SWexDuRw4TEE5u3FMEYEcF1wkEdCFVJSDysM46nJGWdKAjVLPr0 3ZHdZ7a4cCG5jbXh3Jh8G/2SQWG4Ldi2VUVQ8ZgXnh5ibwWZfVY54nml68Qkg8PH AKlazRM1Y5K5c/IUg3TFb0c1CZO7Y+OxCJhcr6kGnH0C49agPq6EhKwi10sl4AGD cvQ13htKbIpnBr8h5QiZoxSyCIdCFAF/1+dAYIzt2E9d9+pkYOnaC246lFQbVIwq ASZTuATlo/cCelrqF/XYnLiVC1ksjyS19PTghD5gR+eTpZdMVD9jAVP3sOTLi1rX vqzHqh1krnnAYK0ts0WO2lFfQEsz50pK6SXDiaRg6YZGA1CzkLs=
=hBw8
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Ori

On 2024-11-21, Julian Andres Klode <jak@debian.org> wrote:

As for ports without gpgv-sq, this does not affect them,
they can be served by the gpgv alternative. Once a gpgv-sq
is available, it's important to note that no migration happens

To me it looks like we will sligthly grow the base system and have
different kind of bugs per architecture depending on availability of
rust.

That doesn't sound great from a software testing and bug compatibility perspective.

I'm not sure I think it is a great idea.

/Sune

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 22, 2024 at 04:14:59PM +0000, Sune Vuorela wrote:

On 2024-11-21, Julian Andres Klode <jak@debian.org> wrote:

As for ports without gpgv-sq, this does not affect them,
they can be served by the gpgv alternative. Once a gpgv-sq
is available, it's important to note that no migration happens

To me it looks like we will sligthly grow the base system and have
different kind of bugs per architecture depending on availability of
rust.

All release architectures support Rust. We should not accept
release architectures without Rust support.

A minor set of ports architectures does not have Rust support
yet.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Quoting Julian Andres Klode (2024-11-22 17:36:17)

On Fri, Nov 22, 2024 at 04:14:59PM +0000, Sune Vuorela wrote:

On 2024-11-21, Julian Andres Klode <jak@debian.org> wrote:

As for ports without gpgv-sq, this does not affect them,
they can be served by the gpgv alternative. Once a gpgv-sq
is available, it's important to note that no migration happens

To me it looks like we will sligthly grow the base system and have different kind of bugs per architecture depending on availability of
rust.

All release architectures support Rust. We should not accept
release architectures without Rust support.

A minor set of ports architectures does not have Rust support
yet.

Rust is unsupported on i386 and patched to silently assume i686 - see
DEP-3 references in this patch for discussions about that, and the patch
itself for a way to more loudly make reverse dependencies aware that
code using SSE2 *must* be compiled without optimizations on i386: https://salsa.debian.org/debian/rust-wide/-/blob/debian/latest/debian/patches/2001_fail_non-sse2-x86.patch

Beware that Rust team build routines run tests without optimizations, regardless of DEB_BUILD_OPTIONS=noopt, so for libraries maintained by
them the issue may go unnoticed until reverse dependencies run into the
issue *and* test for it, otherwise it might go unnoticed until users
report it.

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============d34106307825074669=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmdAuLcACgkQLHwxRsGg ASEhuw//bfxfC1at0gU4gJzEe3QcuTRRsrohjvXwrYS/iN20vyoczmieZlWfWYIo Yx3wzykyDuF8YX+w0yd0BC6iI9kUSCHR5Xw4DnwRtJ0UbIvXUwqa3emi6I+97tdt 3/p94vwoHzDu5/ALvwAYsIPvlR+nsK7D7pIKEL80YFL1IxF/tNgwfDdwPSI20lBW PWlcK7YwuDZ+aM0w2wXRuJLsTSmDo69TEJ6vODFOX8CgaDQ3tv1s/xbssK2QmLeI w0imZS4NZ7EWQY5/PrYmtrOejxImupGp1Fs22pr7JNRV8Vyvma97BoaJGYrA6ieD kCwf7d+tCMGmWYLOOTzGno2hKQO+99fW4C3pTJfBmZ9UCgGOiIMoUGJY6ViuYb/l LwAjeH7t5wmno4WrpZEHZ5ZnmYfraQF6y6/fpqnAjTpuWQrSssBeepuwPpRERpAi mcOnJp62v3GX4Ocx3dX+ZAAyb9k1+NCBdVUeiesp

On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

2.9.14 in unstable contains the test suite fixes and prefers
gpgv-sq *if installed* but does not change any dependencies,
so you can now easily try out gpgv-sq in APT just by installing
it, without affecting other gpgv uses.

That said I of course Recommend you to install gpgv-from-sq;
gpgv in particular has a small interface and there should not
be anything missing or broken.

The broader gpg replacement meanwhile lacks editing and deleting
keys and possibly some other stuff people actually use, much of
which they can do using native sq.

If you want to learn more about Sequoia and the Chameleon
in particular, watch Holger's talk at this year's DebConf:

https://debconf24.debconf.org/talks/16-chameleon-the-easy-way-to-try-out-sequoia-openpgp-written-in-rust/

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJnQL6kCRBvpFjdHbA/cUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmdHftd9BJiQ0EHcXm1FcZ2nEGhB78RCP8jxoZCowo6f wBYhBE+1iKhMLd55p0x3h2+kWN0dsD9xAADTqQ/7BVcrb7bz7CrY97iz+/WZ2k6N Jp3pvbEIN5i7V8EhmbDigRw1FWAwzSn26ivjYiJl5fUKVii9q7cTxA6LIENc/JFv bGLtubxMFrsp0AMWTmybAQvKbjInsFYDDBfpQaDrzV4WipkYjAAx1/CuogyATKI/ 2IAx0n7ehaPiKYZRbBy7c6sytM6z75FFipx32A8OQbkg6Egv8jsSWwmlXft5esVq 9UQ1+2rmLfGmYH7dK0ImBwO04y6Q2FY3Fbkp02PoSaQO8MfbZybNAM7EL3Z8WJx1 dCGZDjqknm4oC2xqnkX47awcHquaznE8AVESVt5kJw16s9wXnIj7BqJ1PB0IA+x3 +MGog9kKyu9HeFJGEma26WaVNXJimA9PfjACQge0uXsnSpg96lLOid/wQHh7D5UJ 7pU/cJbZo+818IkwfAC+ckLdyC4U0d4Il65clSUTzS87QUvnA2sNIelaVJloblTb NE4P8/7Obn6X4v2/Oa5gDpu3M07x5GJHyYKofz70s6DHW6TJ67H9kp/cPUdoPOG3 j45yyTj9xa30tthCSY25RqEU0ztITlCHPdNR0AI4hSxVAQALHCDRjbHl++h7bfQl JxMIIU+LcyKMPxVDlZxgGYybZcFyhrp5SkkJCDPa1YwrLQFgM+fa6wsAdb

On Nov 22, Julian Andres Klode <jak@debian.org> wrote:

That's correct due to some overlinking in the Rust toolchain,
there needs to be some more crate splitting to make it smaller.

Do you have reasons to believe that this is going to happen in time for
the next release?
The size increase is not trivial. :-(

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCZ0DcZAAKCRDLPsM64d7X gRxaAQDn7EfYDIJ/bAw8gvMevYkBTHusPcuyrk3bdKapKP7lfQEApt+vURwJmVN5 cVi9rF5YshB30fwpaguGUOSA5LVojQI=
=Glip
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

1. The GnuPG upstream forked the OpenPGP standard into his own
thing called LibrePGP, and GnuPG 2.4 implements that new thing
and is by default incompatible with other OpenPGP implementations.

Which kind of default incompatibility is implemented in GnuPG 2.4?

kind regards
Frank

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 22, 2024 at 01:53:11PM +0100, Julian Andres Klode wrote:

On Thu, Nov 21, 2024 at 11:52:38PM +0100, Marco d'Itri wrote:

On Nov 21, Julian Andres Klode <jak@debian.org> wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

OK, but why?

Did you make an analysis of how much the size of a minimal system would change?

We currently see a size increase of 8% (9MB uncompressed, 4MB gzipped) in an essential + apt bootstrap:

$ mmdebstrap --variant=essential --include=apt unstable unstable.tar
$ mmdebstrap --variant=essential --include=gpgv-from-sq,apt,gpgv- unstable unstable-with-sq.tar
$ $ ls -lh unstable*.tar
-rw-r--r-- 1 jak jak 114M Nov 22 13:39 unstable.tar
-rw-r--r-- 1 jak jak 123M Nov 22 13:39 unstable-with-sq.tar
$ gzip unstable*.tar
$ ls -lh unstable*.tar*
-rw-r--r-- 1 jak jak 46M Nov 22 13:39 unstable.tar.gz
-rw-r--r-- 1 jak jak 50M Nov 22 13:39 unstable-with-sq.tar.gz
$ diff <(tar xOf unstable.tar.gz ./var/lib/dpkg/status | grep ^Package\\\|Installed-Size) <(tar xOf unstable-with-sq.tar.gz ./var/lib/dpkg/status | grep ^Package\\\|Installed-Size) -U0
diff --git dev/fd/63 dev/fd/62
--- dev/fd/63
+++ dev/fd/62
@@ -29,2 +29,4 @@ Installed-Size: 109
-Package: gpgv
-Installed-Size: 509
+Package: gpgv-from-sq
+Installed-Size: 14
+Package: gpgv-sq
+Installed-Size: 8167
@@ -110,0 +113,2 @@ Installed-Size: 368
+Package: libsqlite3-0
+Installed-Size: 1833

There are a bunch of toolchain/crate-splitting issues here: Rust
overlinks, neither do we use all 8MB of the code that's linked
into gpgv-sq, nor does it actually need libsqlite3-0. This happens
because gpgv-sq uses gpg-sq crate, if they were split up, things
should go down quite a bit is my understanding.

I also have an sopv implementation in progress. The issues there
are quite funny:

- If verification fails we more or less can't tell you why. You'll
get

Verification with sopv failed with code 3:
No acceptable signatures found

- No tests

- Can't set a crypto policy on it, aka enforce hashes or algorithms,
need to rely on backend.

But aside from that, it's only 2 MB with sqopv as the implementation.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJnQQsFCRBvpFjdHbA/cUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmfVGlwcAsUkI1hjU50GRBTSfv7a5Plfu3ttJ3lsR5zZ zxYhBE+1iKhMLd55p0x3h2+kWN0dsD9xAAC31xAAhPLtb2l1z+j1y3y+yhzr3XMY lZr2J+qMJh8EI/wE556esOATb3qQrhqJ2zisWTffkF9AFGqIt7Zm7gJeAjanfXGs GCzjsNsrh6L3g34BiSW16QOtgiXKF6CdDQ47PX+3Kb9bOV0XC14RgjEsxgBNrd0B w6LhAFRR4Suvumvqsy2zA6CO+tH3nnMdHUWiVrkhFyxtYNG4bBYEfU75WTgPdMlr Bd8eAPyKwyI3+4x52cAZBYnfKIzT886ljiBy+WWkpszI9AJPvHj7QZTKLkyhj8/P INqHE7FRFSDG7U1QoE6fDsZZ1Q5w9n/WGu5pjWRiRlp2J/ViyG662qGGzbYmKlqz RXtJvdX3W0L9kIQhhP4h18xEcTVttJXYTubr5sQTri1YAIm00rNykKvcs2g+rDaO sUUPSDiDKfbwpIGtYTaRyN+ToUg26ArrWLT56rpL6e5w70nIs5a+sfA4/29Jw1lS vbXhFqjYjmXjYTolVE4bMGhxSCQ/Pqto6kh1v3K1pjt0RQqQ8ON3HYIwitAr5DQb f5sFUDIWf2cctn6+6r5iceIZrVjz8zaw6tjL3/FDLn8h31O6VvBhfF8iT887iPBl zMqGRs7hpVt74rkp2pCn+CxNOEMMPElq9Ha/jXHURGQ7QF/EYQ4CltFzOA

* Jonas Smedegaard <jonas@jones.dk> [241122 18:01]:

All release architectures support Rust. We should not accept
release architectures without Rust support.

A minor set of ports architectures does not have Rust support
yet.

Rust is unsupported on i386 and patched to silently assume i686

i686 is not a problem, as that's the arch baseline for our i386
arch since bookworm.

- see
DEP-3 references in this patch for discussions about that, and the patch itself for a way to more loudly make reverse dependencies aware that
code using SSE2 *must* be compiled without optimizations on i386: https://salsa.debian.org/debian/rust-wide/-/blob/debian/latest/debian/patches/2001_fail_non-sse2-x86.patch

Beware that Rust team build routines run tests without optimizations, regardless of DEB_BUILD_OPTIONS=noopt, so for libraries maintained by
them the issue may go unnoticed until reverse dependencies run into the
issue *and* test for it, otherwise it might go unnoticed until users
report it.

So maybe it's time to raise the baseline to i686+sse2.

C.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 22, 2024 at 06:25:58PM +0100, Julian Andres Klode wrote:

If you want to learn more about Sequoia and the Chameleon
in particular, watch Holger's talk at this year's DebConf: https://debconf24.debconf.org/talks/16-chameleon-the-easy-way-to-try-out-sequoia-openpgp-written-in-rust/

thanks, Julian.

the first 7min of https://toulouse2024.mini.debconf.org/talks/20-lightning-talks/
have an updated version of that talk and regarding Sequoia in
general I recommened https://debconf24.debconf.org/talks/127-sequoia-pgp-sq-gpg-from-sq-v6-openpgp-and-debian/
from Justus Winter, one of Sequoia's upstream developers.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

In Germany we don‘t say „Happy Valentine‘s Day, I love you“, we say „ich werde
diesen vom Markt kreierten, konsumorientierten Trend des Kapitalismus nicht unterstützen,“ and I think that’s beautiful. (Hazel Brugger)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmdBm8IACgkQCRq4Vgaa qhwYUw/+OF5XY0vu2vy7fclZcypnWzdgAzv9Gq/pAvDdIl/Zg1CYS5mRWZr0kizw HYc2zn7PWeO/b0SOkF0bIwprXurIuPe5IMqoKBH6MI9oqtPqiXJ1GKi4Tde8iO4X dfcATv2KMdwJxPuhk96GzQmv9+K7n0JuKzkdmYe651axt/zBMxxrEAiwHnxIhyn4 VkoVtJl2q+qVw2bTM82h73XFKDTsk1oyH0nW1vD52Mi0KwUgyqh8PP4i28Ua5yKY wS8dTC69/Dvrwcrh0WwchTReWboPp697MvYGxbYGBoXl2HKUYNjdrUE3c0Lq+EpA z6VqZm+WlfcYJiG1btGCLLDkKOh9wl768IJv1OsbG/UiLUQDEcHQO6xOrLDiSy9j pAGcHjdcAyzVaw3y/8AvaUfW2OFHLpM7oyHF6E72VhDTs4rV+weuC+PFyYgAlcrC
2Yo5kDvttqFs

Quoting Chris Hofstaedtler (2024-11-23 04:16:29)

* Jonas Smedegaard <jonas@jones.dk> [241122 18:01]:

All release architectures support Rust. We should not accept
release architectures without Rust support.

A minor set of ports architectures does not have Rust support
yet.

Rust is unsupported on i386 and patched to silently assume i686

i686 is not a problem, as that's the arch baseline for our i386
arch since bookworm.

- see
DEP-3 references in this patch for discussions about that, and the patch itself for a way to more loudly make reverse dependencies aware that
code using SSE2 *must* be compiled without optimizations on i386: https://salsa.debian.org/debian/rust-wide/-/blob/debian/latest/debian/patches/2001_fail_non-sse2-x86.patch

Beware that Rust team build routines run tests without optimizations, regardless of DEB_BUILD_OPTIONS=noopt, so for libraries maintained by
them the issue may go unnoticed until reverse dependencies run into the issue *and* test for it, otherwise it might go unnoticed until users
report it.

So maybe it's time to raise the baseline to i686+sse2.

As I understand the situation with Rust, it is *not* that compiled code
fails to run on old non-SSE2 hardware. Instead, the problem is that the
Rust compiler produces code that is *ALWAYS* broken regardless if target hardware supports SSE2 or not.

Yes, your final remark is a "solution" regardless, I just wanted to
emphasize that the problem affects the whole architecture, not only
outdated parts of it.

...unless I have misunderstand the situation, obciously.

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============�16339857957778092=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJnQcYQCRAsfDFGwaABIUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmfM2jVLXZb+vOnMOeqlApN6bfHPLkY3aNHaKt3eyK+M XxYhBJ/j6cNmkaaf9TzGhCx8MUbBoAEhAADgQRAAmZM6Q7GkobpcARu9/Vrle3lz U9uX7O9ol3iTKexI3axdL46EWnpSd3W9+RunFutF4x4PhueDNMTB9anl+Kl720pk 1wQNWAxqIggXQam0jyEamWaXkdD/iB2xKwB2OSHGjDJkm18lKJdBaGc0erMk3L53 QAaR42pFfZnMNL9WkDlgs/xefqjXHp/Vd+V5qinJm1NeHihQPBot6cQf9asJSj71 65aR653rSK9nU4aqHyppQhNH0Ee0TFXf9YeeU4IEQ9APKLED1LcfVnzCMWC+1t5y nRdBuXWZuCOTnbvQ3Kxt+RTT9D5Qkh7AVP6f1J/s2VWipt0cxyg8+VqIbxV83Myh 5+RZ6e80Rrqs2WhNDmBmzHvSzAt2JLKweM9PnCdS

On Sat, Nov 23, 2024 at 11:29:04PM +0500, Andrey Rakhmatullin wrote:

On Sat, Nov 23, 2024 at 03:14:42PM +0100, Fabian Gr�nbichler wrote:

B) bump the i386 baseline in Debian to require SSE2, and stop disabling SSE2 there in rustc

As suggested by Chris, and a popular opinion/request in general.

--
WBR, wRAR

Considering that for Trixie we won't have an i386 installer, particularly:
it seems evident to me that as more software depends on Rust, less of it
will be usable on i386 (and possibly something like armhf in due course.)
This whether or not we rebase the hardware requirements for an architecture.

I think that it is inevitable that i386 won't get the same amount of
software as amd64: Rust might be the deal breaker. (In the same way
that some large/complex apps don't get built for all architectures /
memory sizes. - Not everything can happily build/run Firefox, for example).

Just a thought

Andy Cater
(amacater@debian.org)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Nov 23, 2024 at 07:05:39PM +0000, Andrew M.A. Cater wrote:

B) bump the i386 baseline in Debian to require SSE2, and stop disabling SSE2 there in rustc

As suggested by Chris, and a popular opinion/request in general.

Considering that for Trixie we won't have an i386 installer, particularly:
it seems evident to me that as more software depends on Rust, less of it
will be usable on i386 (and possibly something like armhf in due course.) This whether or not we rebase the hardware requirements for an architecture.

Sorry, I don't get it.


--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmdC1ZwtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh bjkP/1AFAzsnZcYDkyPDdtMEijHedP1k7Q6oBsi09ZBBxOZh0v+xS2zmmFg/ZjpA a6t9WSC29hgn0qoYOQ3L+8JaGfrBlcxVDfu0taxGjN6b2EZ0Fg9A+pXFSMuiQY0c RFmWL/5YRKZkUdX3accBEAFL/TxW6QnBOIM4d2fAHDYLgwFcuaHg80aDd2pOJRf/ yDtG2FQE8eLf4OTswQBjE8VMswfaiiS3qlt8e3TjqNXRiAr+/IoP93bM4uevz6Tc mibXxBEqi5rqygg1+uudwP6jJJDYQX8ltTru5G+jMfd9JDuJBElCbC/oij6nRsZE j/RO/AOUljdUYVMT+df879WX9PRdM8FgJidpwRKhIb+eFPF6PJ2tVlGlMfZ1i3s/ NCf71RxZM+flbeHDZNdV0VBNbgpxV2HDzz3FqaA9fDO7q7qu0x7O+lgPdWDJgXW+ KQvPUcB1lRJdwnUkzPBBKEYKjIPA6nrsY7gYylQ+9RufnG3KkVzPaU1zw82uNgJp nYeD4nr6+vbHJn41pCRVrIAgSb5gL/cx5W7SsmFI1TygYyooFYnlxmUwW9KHaq3f oa/y1hxE7Fkz9Za7tutvHLVqM1o9r0CdkHVBMmBcupbqKUBn+uuQHI/mvZ32g7qK Gocg9AC6b9ktP3IBOThFXRH0pb2cnHItSAimuvqy9uillWI3
=fr6V
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Nov 23, 2024, at 8:05 PM, Andrew M.A. Cater wrote:

On Sat, Nov 23, 2024 at 11:29:04PM +0500, Andrey Rakhmatullin wrote:

On Sat, Nov 23, 2024 at 03:14:42PM +0100, Fabian Grünbichler wrote:

B) bump the i386 baseline in Debian to require SSE2, and stop disabling SSE2 there in rustc

As suggested by Chris, and a popular opinion/request in general.

--
WBR, wRAR

Considering that for Trixie we won't have an i386 installer, particularly:
it seems evident to me that as more software depends on Rust, less of it
will be usable on i386 (and possibly something like armhf in due course.) This whether or not we rebase the hardware requirements for an architecture.

There's a big difference between
- some software doesn't build on i386 anymore (cause of memory/.. constraints) - all Rust software is potentially subtly broken on i386

The former won't go away by raising the baseline, the latter would..

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 24, 2024 at 12:28:28PM +0500, Andrey Rakhmatullin wrote:

On Sat, Nov 23, 2024 at 07:05:39PM +0000, Andrew M.A. Cater wrote:

B) bump the i386 baseline in Debian to require SSE2, and stop disabling SSE2 there in rustc

As suggested by Chris, and a popular opinion/request in general.

Considering that for Trixie we won't have an i386 installer, particularly: it seems evident to me that as more software depends on Rust, less of it will be usable on i386 (and possibly something like armhf in due course.) This whether or not we rebase the hardware requirements for an architecture.

Sorry, I don't get it.

Hi - sorry I might have conflated more than one thing: let's see if I can make myself more clear.

1. Rust itself is fast-moving and difficult to package/deal with. There's a couple of threads on LWN.net on this at the moment. There's a further distinction between Rust in general and Rust in the Linux kernel itself -
which is further behind Rust head development. In general: Support in
Debian is difficult for fast-moving software without guaranteed backward compatibility long term.

2. Upstream Rust doesn't particularly care about 32 bit i386 - so it's a
Debian thing to try and produce appropriate binaries including Rust wherever they are.

3. There are packages including Rust that can't be built on 32 bit / can't be built on some of Debian's ports. Firefox is one, I think - and there's the general problem that some larger packages like libreoffice are marginal on
some architectures, without considering Rust. That situation can only get
worse with time.

4. The consensus seems to be that i386 in Trixie won't have an installer
built for it - there's no kernel support in the most recent kernels. The architecture is being maintained primarily for compatibility with older software (also the reason for no time_t64 transition on i386).

5. If we're moving hardware baselines for the sake of Rust (or any other software on this architecture) it's already too late.

Does this help? I don't have a horse in this race, so this is purely an
opinion to be considered,

All the very best, as ever,

Andy
(amacater@debian.org)

--
WBR, wRAR

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 24, 2024 at 04:22:18PM +0000, Andrew M.A. Cater wrote:

B) bump the i386 baseline in Debian to require SSE2, and stop disabling SSE2 there in rustc

As suggested by Chris, and a popular opinion/request in general.

Considering that for Trixie we won't have an i386 installer, particularly:
it seems evident to me that as more software depends on Rust, less of it will be usable on i386 (and possibly something like armhf in due course.) This whether or not we rebase the hardware requirements for an architecture.

Sorry, I don't get it.

Hi - sorry I might have conflated more than one thing

That's what I thought :)

1. Rust itself is fast-moving and difficult to package/deal with. There's a couple of threads on LWN.net on this at the moment. There's a further distinction between Rust in general and Rust in the Linux kernel itself - which is further behind Rust head development. In general: Support in
Debian is difficult for fast-moving software without guaranteed backward compatibility long term.

2. Upstream Rust doesn't particularly care about 32 bit i386 - so it's a Debian thing to try and produce appropriate binaries including Rust wherever they are.

Yeah. Bumping the i386 baseline will certainly only fix some of the
problems, talking here not just about Rust but in general. I agree that
i386 is not a priority for most upstreams and the baseline doesn't matter
in many of those cases.

3. There are packages including Rust that can't be built on 32 bit / can't be built on some of Debian's ports. Firefox is one, I think - and there's the general problem that some larger packages like libreoffice are marginal on some architectures, without considering Rust. That situation can only get worse with time.

4. The consensus seems to be that i386 in Trixie won't have an installer built for it - there's no kernel support in the most recent kernels. The architecture is being maintained primarily for compatibility with older software (also the reason for no time_t64 transition on i386).

5. If we're moving hardware baselines for the sake of Rust (or any other software on this architecture) it's already too late.

I think it's something like that:
1. Considering the likely future path for the i386 Debian arch we should
mostly care about libraries and maybe agressively disable building leaf executable packages at some point. I don't remember anyone suggesting to instead make a closed "allowlist" and drop everything else, and that could
be an interesting idea, but maybe it's too early for it.
2. It seems that we won't be able to maintain everything we want for i386,
and will need to drop random things after they are no longer possible to maintain there.
3. Still, we may want to do some things we can do in order to maintain
more "libraries" for longer.

So yeah, it may be possible that the people responsible will say "it's not possible for us to keep Rust on i386". But it's unclear if it's worth it
to keep it or not in the possible future "legacy apps support only" i386
if it is possible to keep it.

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmdDabotFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh BQ0QAIEHeL3Q5m4dx5Ykohwpw2OU9wTP+4a2+U5DppoddBwjXcqNHp/YqVz/mvsc ps6GOxEoN7uNRoP/OYQXCuXowdGjzyd/YoHtS742LfhTMByXWZzSbEiRDe994c+r tfhZqi3GMjDid9xDkQqtdZaaK1voheDi5RrvAlIhqEg1CJFq1KtdeDkBfbk6Wq8x mAVESVT6uNu20+wJQirZXj/Fp8DHssaHod9THBEoTJLrYw0++sClrLvM/OSj1J1K Swa5WT4IlKm1k+b1qfwAa8ul1fis6gqXBBL+wRqygzV0GLZppd9dkTwFwt9j9/4I +sdJShWxYGILXvNrZwQarIaX2OytidV+7/w27OetNYXQXg3G171enNXdjAmdT9jJ aR6MMpRdd05tyPs2P4z3WtNrmZHM41FCuWGo84xaekha9CCB3dnm8M5Q1r8LESQH grxs4BghbzCwBC07NycdBcCi4tSzbzemg9qkPFD96m67yr953Y9tEGtOPnEYyRac Omn4/BHOyzRUCRSFow4Zp7GzhR0zzSRzSSrCnJkRMs//avUKMVYLt6mHubhTZqv/ ay6quf+PcgRM5aqsVaIG5xaC/DtZGiUpSw7vVgSgtbDpflv7n+ZmWEOJFmx+mtpT trs8ZNIveFU5hwAtVyzcx2Y36EBFfGZgba37fGpBsiN/T6yM
=uMfq
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 11/24/24 17:22, Andrew M.A. Cater wrote:

5. If we're moving hardware baselines for the sake of Rust (or any other software on this architecture) it's already too late.

Huh? Why?

[Putting my Release Team hat off] Personally I think Debian should be
raising the baseline for i386. I'm not sure about to which level, but
I've seen proposals in this thread.

Given that
1) we're no longer supporting i386 as a full architecture (no kernel, no installer, only in chroots or as multiarch)
2) we don't clearly have i386 porters
maybe we should seek consensus in this thread and go with that.

[Release Team hat on] I would take consensus for a decision on the topic.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 24, 2024 at 06:23:00PM +0100, Paul Gevers wrote:

5. If we're moving hardware baselines for the sake of Rust (or any other software on this architecture) it's already too late.

Huh? Why?

I think the Andrew's idea in that line is "some software shouldn't be, and
some software can't be, in the future i386 port, and changing the baseline won't change that fact for most of that software".
As I've just written in my other email, it's unclear to me if doing this,
among other things, is indeed useless.

[Putting my Release Team hat off] Personally I think Debian should be
raising the baseline for i386. I'm not sure about to which level, but I've seen proposals in this thread.

Given that
1) we're no longer supporting i386 as a full architecture (no kernel, no installer, only in chroots or as multiarch)
2) we don't clearly have i386 porters
maybe we should seek consensus in this thread and go with that.

[Release Team hat on] I would take consensus for a decision on the topic.

(my opinion on this, already stated in this thread, is "match the amd64
one" and I think when we bump the amd64 one we should also bump the i386
one)

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmdDayQtFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh GL8QAJ0Be2BHL5qxnrOAu6oofF7/UB410D9D3f5PiYw2CZlYwFHEiyjYIVZWWIkV N8vcHEtANXP4ToAYzFMLAhg3N+f/nJreZryIXvy/oCgF/+zrAxPUw8UUGExc0+gR oqdbg3MEO9jHZSFBYrHPgvn0zCQs1qRScKhxHk9JEhImiNz5uj0zINT040JRGeZg /yqh62fwIBwgZb8Jdx4yP+WK78e8L2nTFx78ZO7mUfm6YQK2DR4nw7scfgxOSjn2 28V7CckoMC48YyIrN9DfUx7D2zkO8nJlGkqYgqnEOleA3DQ98hJYUOiHxVx+3/5J zenvxnkMyYyL12+jpn0rJbxxolZILHOuuQ5GYbiYeu5KI+Vyk+wDZ0SNRQdsWo0E nVytXTLEy7jyvZMLRDz+oEXnLeef9XtXx7hB+SkPTdDzKkd9jPtZOrOQPRdxXJHL kNlcw/IYjlqWNx2BDBBy8jFcdv1O1tO+PvNe1jbm+PPdWpku8a10/72mg1/2WYuN qrCpd4qwnKRjeZvZDcfzMHq0dNt5JLhDLeNTa3L9Y6lQLy3I/AOsX5skjrsaYqSg abmL/vtLmneFKxp0tiAOe4yMiFO6Hm0iY095lyuZ/kab5fXcVyiKm016Bnl7Wa9a TGk85RrOAjBBOjRvxF1RYcdY9WWVW3wvB4U9HwqD29GrHc72
=szHb
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 2024-11-22 at 18:00 +0100, Jonas Smedegaard wrote:

Quoting Julian Andres Klode (2024-11-22 17:36:17)

On Fri, Nov 22, 2024 at 04:14:59PM +0000, Sune Vuorela wrote:

On 2024-11-21, Julian Andres Klode <jak@debian.org> wrote:

As for ports without gpgv-sq, this does not affect them,
they can be served by the gpgv alternative. Once a gpgv-sq
is available, it's important to note that no migration happens

To me it looks like we will sligthly grow the base system and have different kind of bugs per architecture depending on availability of rust.

All release architectures support Rust. We should not accept
release architectures without Rust support.

A minor set of ports architectures does not have Rust support
yet.

Rust is unsupported on i386 and patched to silently assume i686 - see
DEP-3 references in this patch for discussions about that, and the patch itself for a way to more loudly make reverse dependencies aware that
code using SSE2 *must* be compiled without optimizations on i386: https://salsa.debian.org/debian/rust-wide/-/blob/debian/latest/debian/patches/2001_fail_non-sse2-x86.patch

[...]

That's unfortunate. However, I think this a short-term problem. Since
we no longer ship an i386 kernel, after the trixie release we should be
able to raise the baseline for i386 to include the features that are architectural in amd64.

Ben.

--
Ben Hutchings
Any smoothly functioning technology is indistinguishable
from a rigged demo.


-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmdDdmgACgkQ57/I7JWG EQmjbA//Sy6qpOY7Vc4H7rOPKxc9TO1xAf59F1zjOSGvf7YeOuffOqHVn5/zX1s3 rv0/guAPGVFTl2kPln0W3wfMtQJZbuOt9KmqbjHguRG+BDRPiU7tQcHxzjEkT5sr GjvQ283hx7bEGVJZHbeGgVwszauVLxfiHo7m7CoO+D2BVZ6aB2eDeBFVgIdgMLwi GVrx1Oozv2Z8WGa0RpX5QLBggjINZLUbpt6+lRIfEqcA/rI3vzLivuhp6eyC8x+X Bu5zKe701upIq30PhlqYXHdAa37zbd5dKhvtpkFj5nezQxoyKJUM6W7KD+hR8puX H9ZAub+0v4P/hSc27OsLKs/pbPrxeaqcG98ZPcDQ0pTyZV9zHBhbvcOa3rYqP/S/ NlXZV/I+c9cOfpjK65BaH3SJVw4uJ+ZoL35KGa749jBi9uHQEKwo3KIooanXbR69 CHYbt2l0yT2+31j5NWgFfEdJPZH6k/iApTnwjns82RlCU1I6V2kR5XTA91e5eLqy c5luLB/7xehykUkQFZTqsjNAphtiPHc7IIsGVLgg/GGp0ER4QZt987uGcDgK+i3S CpnQyFvGNNQNCvZIEl8kt3HOBg3/4+aeQleaWwaxhX8zc7HsrHw4WFk/LlnTWgRj AtPr8nYp9potpHi6dQnxZsGszXMsvV9lJfJbT5t3/dYpz5cFOX4=
=RgUW
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 24, 2024 at 06:23:00PM +0100, Paul Gevers wrote:

Hi,

On 11/24/24 17:22, Andrew M.A. Cater wrote:

5. If we're moving hardware baselines for the sake of Rust (or any other software on this architecture) it's already too late.

Huh? Why?

[Putting my Release Team hat off] Personally I think Debian should be
raising the baseline for i386. I'm not sure about to which level, but I've seen proposals in this thread.

Given that
1) we're no longer supporting i386 as a full architecture (no kernel, no installer, only in chroots or as multiarch)
2) we don't clearly have i386 porters
maybe we should seek consensus in this thread and go with that.

[Release Team hat on] I would take consensus for a decision on the topic.

FWIW from a mostly-lurking small-time DD who often wishes he would
allocate more time to help with Rust packaging in Debian: go for it.

(not sure if you were actually asking for lurkers to pipe in;
thought I would on the off chance of "everyone who agrees is silent")

G'luck,
Peter

--
Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key: https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmdDiiAACgkQZR7vsCUn 3xMKvRAAmQhp/9/I7r6T0QSDvoK4HO6KGpfvPOM4d4ziuKF/5AUqCY+n2kSO8ClC GxvSs/QlHotd+ArwFSOsRFO9vI2mRMnv/d4cDnUwPlWHM4nQK2klVOAXh3z+aXGO DhdC5q27iH687RRL1BdHM8Vs12tKwg6ipTfTQEFPpAHNnDE3/w/QysGSMEKRZ4Ja ICHS1T5wBT1Avct4RNwksbxVY+Sr/1CHySxzIhHOqiGQ8TokcDIa5mOUqrjzdkQL vJ4wnvlmItnm9dH7e5r/o+jm/koeu+Yf7FXFES3wgN1YSnQ2SEAKaEYDzh9lEQht UA/weaAaf5URRg6duaXJGLGfmxh1FgNM2t9DQaQU773PSouxRFBwHBEDelbvaLmr TPVWBz8mkxMMa1BRoA5zTquAAOF8fUzK5I6w6C6rFK9kR2j2TZTy9+Uypudmyy0c ruih5l3Wo/9bpMNm2G5HCJZXBAAfoRgGOXotEPzm/N44V71pDiJe6LEBm7HtsR1A jaPTPjtuyVbAYtFXWVXhdpg/GubejrjxrElq2qaQF5XVk+NnwUAJItHrXCPfwo7D 7NmCsheCeeOX3AUnQG4LFcXXrB5mxM4UxAeUGhq97yORfgqffDOSD31Zu5NGLb7B bbdBjGuycwBaxUT8QkLOS3jyRy2A55cRQhlN6ptBg4wNs8nwEm4=
=VgSe

On Sun, Nov 24, 2024 at 06:23:00PM +0100, Paul Gevers wrote:

[Putting my Release Team hat off] Personally I think Debian should be
raising the baseline for i386. I'm not sure about to which level, but I've seen proposals in this thread.

same here.

[Release Team hat on] I would take consensus for a decision on the topic.

I for one, agree to raise the baseline.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

You can cut all the flowers, but you can’t keep spring from coming. #transdayofremembrance #berlin (2024)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmdDoEQACgkQCRq4Vgaa qhw29BAAmPT8Ti7jx60ns1Bo4eHQ3L/ZN659PphGYJT+HFbH6bADferzghhDpVXv Isngz/DS8Tw0ZLB3bKXFofRatgjoxySFmhFRQMcMQH+RfQJtGnh1cjnTDq9cyLSg WAYJRrvQ4u1MMi/aVQIH1MHIy6i6p+dhCdJHGzJMr9f0228ycW38g5Sz/uASppuq 85CMZboiQDzGY3DM41x7j4WqR5qD7UtUq124CvSEah6NOgOm8Tyh968HUhzhH/o0 Jwv2xyKxcPAIqc/D7kp7TglgKvVFVdNMH0NDpqPEWhpCkaQkQz+ayimsuho/XWsE 08pO1muG4hnRA/ejedsExECaBwr1K5UiCfMKccKdhixG0YiSQ2l0HVEAvc/X0Dsq kNz+JAlcOzGEm9KDh805XsYjzMoEWTy7Aw349sxWqwJciCsN0mc56MBxA4fr+c5L NFxDiCdLRxeMb3wNBbH+bqCqfvzFZ2+8S4sqXCc9MFGhGOKRfBuCSa+tnYuQiHKE WPqXRatRXbVKok0rUxI7VqYOUVX4ICLGawYDUfLUvJGgvs4cVJ12FFNRYgtZevp9
r0UV

* Paul Gevers <elbrus@debian.org> [241124 18:51]:

[Release Team hat on] I would take consensus for a decision on the topic.

Based on my casual reading up on what other distros did before us,
many years ago, ISTM raising the baseline to at least SSE2 would be
a very good idea.

Next up: raising the amd64 baseline.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-11-22, Frank Guthausen <fg.debian@shimps.de> wrote:

1. The GnuPG upstream forked the OpenPGP standard into his own
thing called LibrePGP, and GnuPG 2.4 implements that new thing
and is by default incompatible with other OpenPGP implementations.

Which kind of default incompatibility is implemented in GnuPG 2.4?

GnuPG people withdrew from the OpenPGP standardization process because
of irreconcilable differences between parts of the working group, and
has gone a different way of standardizing what's being done, called
LibrePGP.

LWN did an article in december about it.

One of the biggest issues in the newest version of OpenPGP standard is, according to GnuPG people, the need in the OpenPGP standard to have 3
diferent ways of doing AEAD.
One of them being quite more complex than the others while not as such
better except if your business model involves storing user's private
keys on your servers, which I consider a bit questionable.
The OpenPGP standard only has one of the 3 as required (the theoretical
best one), but the others are optional to implement.
OpenPGP.js defaults to the complex one that is optional.

LibrePGP supported by GnuPG and RNP (the pgp component of Thunderbird)
The new OpenPGP spec is supported by Seqouia and the libraries done by ProtonMail.

/Sune

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 25 Nov 2024 08:20:43 -0000 (UTC)
Sune Vuorela <nospam@vuorela.dk> wrote:

On 2024-11-22, Frank Guthausen <fg.debian@shimps.de> wrote:

Which kind of default incompatibility is implemented in GnuPG 2.4?

[...]

LWN did an article in december about it.

Do you mean the schism article[1]? I'll take this
one as a starting point to dive into the matter.

[1] https://lwn.net/Articles/953797/

kind regards
Frank

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 24, 2024 at 12:51 PM Paul Gevers <elbrus@debian.org> wrote:

[Release Team hat on] I would take consensus for a decision on the topic.

If the excess precision issue goes away by bumping the i386 baseline,
that would make my life easier.

Thank you,
Jeremy Bícha

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On November 24, 2024 6:23:00 PM GMT+01:00, Paul Gevers <elbrus@debian.org> wrote:

Hi,

On 11/24/24 17:22, Andrew M.A. Cater wrote:

5. If we're moving hardware baselines for the sake of Rust (or any other
software on this architecture) it's already too late.

Huh? Why?

[Putting my Release Team hat off] Personally I think Debian should be raising the baseline for i386. I'm not sure about to which level, but I've seen proposals in this thread.

Given that
1) we're no longer supporting i386 as a full architecture (no kernel, no installer, only in chroots or as multiarch)
2) we don't clearly have i386 porters
maybe we should seek consensus in this thread and go with that.

[Release Team hat on] I would take consensus for a decision on the topic.

Probably obvious given my other replies in this thread, but just FTR - I'd support that :)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Nov 22, 2024 at 01:53:11PM +0100, Julian Andres Klode wrote:

We currently see a size increase of 8% (9MB uncompressed, 4MB gzipped) in an essential + apt bootstrap:

^^ that's trixie, in sid they're a bit smaller now and will probably soon shrink further:

user@debian-work:/tmp $ schroot -c trixie -- ls -lart /usr/bin/gpg-sq /usr/bin/gpgv-sq
-rwxr-xr-x 1 root root 8335016 Oct 23 11:06 /usr/bin/gpgv-sq
-rwxr-xr-x 1 root root 14995432 Oct 23 11:06 /usr/bin/gpg-sq user@debian-work:/tmp $ schroot -c sid -- ls -lart /usr/bin/gpg-sq /usr/bin/gpgv-sq
-rwxr-xr-x 1 root root 6220512 Nov 25 19:29 /usr/bin/gpgv-sq
-rwxr-xr-x 1 root root 10785096 Nov 25 19:29 /usr/bin/gpg-sq


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

warum ist symbolischer Klimaschutz immer sowas wie „es bringt zwar nicht viel,
aber die Strohhalme sind jetzt aus Pappe“ und nie „es bringt zwar nicht viel,
aber Privatjets sind jetzt verboten“ (elhotzo)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmdKZOkACgkQCRq4Vgaa qhz7og/+JGmmrDn9+hqT008w6IrQvaHf7aolWqOh0SGlrkTc04/AqSD1+OtPJ9JT 8ib3xp+uwALCN+JOUjMQpVLOuSBjPscFmwF8UXFk+LYMNIDR1mRE7x2cNvATdKGm zaPe29ncRog4/ACp7XCN5wnK78ygzK2mYq9FvrYbERNftc011riwhclrtoMV9R5L XoUvk4S+VgrBsGA8PQp3NqDKO+r41Ja7L4gLXHf8OBSn7ptnq1dT1BI+NTtDXIXP PgZ1Osm1qEdqCDGcqmjD3oZBgLZmPGvfSg2F34mmj3mqlpJ3vp22uzVoldEkVn4S GXs9fM8aHP7IaRqq9W4Amfu8fDSffoOebuiKAPr0OyO1pQOdWU4hdZnQUaLBBmQf Cfvmq5I10tkP6hDwzGLm7zZN+4psCwP+RHOmv9uGbHJU42QxgYUxU2WZG08u06/d SA8IKcLRnLjvpWr61MYgLOQwh0Jx7te

On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

After that migrates to testing next week, I want to make
the switch: APT by default should use gpgv-sq. Previous
discussions with the security team did not reveal any
blockers for that, despite the strenuous nature of
security updates for Rust packages.

This has been delayed. There's ongoing investigation into
sqv and sqopv, which are smaller verifiers from Sequoia,
measuring only 2MB and without an SQLite dependency, hence
saving about 6MB.

We also identified issues with keys that are using SHA-1
binding signatures. I'm in the process of adding a crypto
policy override to APT to re-allow these until 2026; but
we also do not have a way to warn people about upcoming
revocations, so lots of stuff will suddenly fail on a new
year.

I don't want unstable users to switch multiple times
if possible.

There's limitations

1. gpgv-sq - this essentially mostly works as gpgv
now, so we get the feedback we are used to

2. sqopv - produces no usable feedback at this time
if signature verification failed, and also does
not respect SEQUOIA_CRYPTO_POLICY.

3. sqv - produces very detailed feedback, but does not
have supported for clearsigned files. This is _less_
of a blocker: APT detaches signatures itself anyhow
for historical reasons - gpgv lacked the ability to
do so before, and we need to ensure that the verified
bits actually match what we read later on.

RHEL 10 is adopting sq and sqv as the tooling to ship;
sqopv is technically much more powerful than sqv, though,
this may be an odd decision that they went with sqv, given
it also does not share an interface with `sq verify`.

I want to spend a day on my 4 day weekend to see if I
can whack sqopv and sqv into apt test suite compliance.

My plan here is to use

Depends: gpgv-from-sq | gpgv-sq | gpgv
Recommends: gpgv-sq

I'm considering adding architecture restrictions to
allow opt-in on architectures, giving ports the ability
to migrate when they deem ready.

In light of the discussion above about sq(op)v, this
may change into

Depends: sqv [architecture list],
gpgv [!architecture list]

We had some further discussion about gpgv not being
in widespread use and removing it from the default
bootstrap possibly being a reasonable way forward.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJnTyUXCRBvpFjdHbA/cUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmeLsWDZIEG+3W8Ai7iFhG+6o+hPVhFlf13lauI7QImb CBYhBE+1iKhMLd55p0x3h2+kWN0dsD9xAACeDA//cm/46zCf7oXPGdjwDlrAaxnQ Y9t0mscXwie3kR8k7HWqW4uIByHAzjRcD1Oc6P07K0dPsto3cVxNqbj23zFcIPFj KZ317ES9l2b2C0TX8PAsEqY4ZMTjFYV3HP8NIAdWeP5Tdjhwaz+wV47v5/qxVxpm uejo3po1PJ0nn9LFtyadsq9TqRLHGXEKkulGTWEsNdLJfPcgzXFZi2tHa9l0wIUM vBvKYU+/Nzqov0AfnxSA7t28zCGzkYHUYM74wszgtPtWgW/eZKIUHS1qBZC8n/qj vX90njOLovhkedurZ0aRme0DLHQHJt278P5sfBSxIncm2SWG0/HsNNZEXsl94rHO VMhagFFHhcfl6Y6V8+FxvVoMfRSGutQu/eX2z9LyoUXATNQvql10+ZugGmfC2/yl 4ZH9ql+jGYfYTXWGv1BdqV69QWyoM9TOGsBvGWM6be6ONwTzFfB6h4hoyVidizBF zBZbmSPwwFdMEtF05KMvMwFflK69iEaI0kzZ3urtDkyQ2DqCWWveOVtE5vxetrq8 79A5yq7qFAGT1JIQ/eOAVvizqMflWTZSPTSqzlgbPGSnZ/9SYU0L4PK4jX7sOsBR duKborr/P1TfteaJBb2on+lnPsXJrjpP2CdaAznxms3aWChrw9xmWzSTTH

On Tue, Dec 03, 2024 at 04:34:52PM +0100, Julian Andres Klode wrote:

On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

After that migrates to testing next week, I want to make
the switch: APT by default should use gpgv-sq. Previous
discussions with the security team did not reveal any
blockers for that, despite the strenuous nature of
security updates for Rust packages.

This has been delayed. There's ongoing investigation into
sqv and sqopv, which are smaller verifiers from Sequoia,
measuring only 2MB and without an SQLite dependency, hence
saving about 6MB.

An sqv backend is now available in apt-team/apt!409 and in
experimental in apt 2.9.17+exp1.

Note that the experimental upload only supports architectures
with sqv available. There is no fallback yet.

The plan is to detect if sqv is available at build time, by
build-depending on sqv for the correct set of architectures,
and then generate a `Depends: sqv` for those architectures,
and `Depends: gpgv` for other (ports) architectures.

The sqv binary is about 2MB large when optimized for size,
and provides good feedback when a key cannot be verified.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJnYgL4CRBvpFjdHbA/cUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmey32GfIcp5vyNv79BPinH33a2IMMyAYlEgrjOf5k6X bxYhBE+1iKhMLd55p0x3h2+kWN0dsD9xAAAJ+BAAlvusxPhOk8coNxvdryW7Btii yucqnzAJCtfzQvSV8V/uqun/JgviSqKbsn++A4X3BVNAtf5u2HYXoAsbFRp4nmCX GQaC2mvX/VXOKJSMAHyO/GgHBpk3moxW4X2lMfElEZ6BTGo4wF/HUiE5Vn0hma1a ooT5cej6qIV2oOUxgvAgfUWKd7QqsLhhrFAS9wG5uZWg58zpzdwTjZApc/6hgC53 lfQeaEStBkpEW7hEWNacixTUcOVSmdxLylk1m++0wjQgtYWfwni8/shoo4nUAIXL KsbrVA6MoXPpp2zuNZah6bdL3ZZK33C2mRKCzAMIg1OLvgNK/3rWXPk5warnl9QR dUvOkgCyvhyUQyagLZNXyOUfA43lxxnao8PsOgQF2CWzqmoFFDpAOKI0JCRiiDb/ xuy0tKvejt8PJh3IF4iosVWX/OVzrPr8lN0ukCOjbAvV1SDu+XnbfegnuMGW45KB sL8uAauplT3qORRhMxXWKyc6wJBhRMvEyno/Ye8fc9EpHZqny9pgXKOfYTYFOvDS p9g+EQUHRqe9vgRuS6z2IizuZzAs1Ln1Ti+xYb/JCr4yQ+0/jp4wK8S32LkTRfBi Tp7oN3jA5VNnp1F3HJ5ST5UtQVkyHC2jl3bXJo1whM01dN7SgQzTyj9FIu

On Mon, Dec 23, 2024 at 12:29:09PM +0100, Julian Andres Klode wrote:

On Wed, Dec 18, 2024 at 12:02:18AM +0100, Julian Andres Klode wrote:

On Tue, Dec 03, 2024 at 04:34:52PM +0100, Julian Andres Klode wrote:

On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

After that migrates to testing next week, I want to make
the switch: APT by default should use gpgv-sq. Previous
discussions with the security team did not reveal any
blockers for that, despite the strenuous nature of
security updates for Rust packages.

This has been delayed. There's ongoing investigation into
sqv and sqopv, which are smaller verifiers from Sequoia,
measuring only 2MB and without an SQLite dependency, hence
saving about 6MB.

An sqv backend is now available in apt-team/apt!409 and in
experimental in apt 2.9.17+exp1.

Note that the experimental upload only supports architectures
with sqv available. There is no fallback yet.

The plan is to detect if sqv is available at build time, by
build-depending on sqv for the correct set of architectures,
and then generate a `Depends: sqv` for those architectures,
and `Depends: gpgv` for other (ports) architectures.

The sqv binary is about 2MB large when optimized for size,
and provides good feedback when a key cannot be verified.

The Sequoia sqv backend is now the default backend in unstable
for architectures that have it (all release architectures, most
ports).

2.9.19 also replaces internal GnuTLS and gcrypt use with OpenSSL,
and all use of GnuPG in the test suite with Sequoia's `sq` command.

There is a backwards-incompatible change: Signed-By can no
longer contain an exact subkey match (suffix "!"). That
information is - rightly so - not available in the sqv
output.

Space consumption, with apt from experimental:

105M experimental.min.tar
192M experimental.tar
114M unstable.min.tar
196M unstable.tar

i.e. we see a 9MB saving for essential+apt, and a 4MB saving
for a default mmdebstrap. Something still pulls in gpgv there
which is unfortunate, we lack a 5MB savings.

More savings can be achieved by building sqv using openssl,
then we stop pulling in nettle.


--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJnaU4gCRBvpFjdHbA/cUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmf1uy4JvnHG278Lo/rk+lGlziT92bRvtcsIWUlMZTxg VRYhBE+1iKhMLd55p0x3h2+kWN0dsD9xAADlOA//RWpl2VVsG5Fcf1GXcj9FAcu5 WkzMJSeby8QNaLrUwRE7vL6nF6bR4BrPF0gz29tIlVxxV0pvS+5L6e2VJ23qgZrj 7xY1tvEowYal2MizomiptPCgR8dmo7bsGRDPAfhG39KmB3Z5NqGHEyRPZgdtJKAh yciQY8evosGQBU/DwxOGHg3xzIwX6FIy/cxiw+VqspbX2PpAzh6jo4noi0qBsupo H4u1RiIvv+sTM9+N/0QX2+84LcdGDhLcOjdsizBBv5cKTG9JTQ7cSnG6DnFUQtKr 7UWe/Zxxo0UC37vx9Vxxnw9/RyuIG0Zi2qFeaXqJlMJgCKnGzE2Hl6kBbKhIw7rN Dr+myzPw5Gq7vWKd9tQIV6Z3UVOnlKTQ/UrVKflzdBKq9qZE65o3CbTS8+XwaCWL 2HFeTYWWfITZR/Kl1dPfgz/7OIy65Hi+hsT8zVhDRCfwta+eBdz8kNrvHNxM3kXE OeLI4r6f0tvvWaMTNAKGPJv4nObO8eZ4S4vzDzQ6onUWvmB+gfQDxbJ7U8ijrvhe kExN+r0JZMqSh9keYOdLPMOl4uUK1m1nllZaeDdqhqBR1FSLjDgFs6gxEEq7ndqW Dz14T5ZEC6uSYXQwlxHxolncyggos4IasWvh/w7kwJBmuOw3UKYATHj09J

On Wed, Dec 18, 2024 at 12:02:18AM +0100, Julian Andres Klode wrote:

On Tue, Dec 03, 2024 at 04:34:52PM +0100, Julian Andres Klode wrote:

On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote:

I've just finished more or less, adjusting the APT test suite
to test gpgv-sq. I plan to upload APT that tests gpgv-sq
tomorrow. This ensures full compatibility between apt and
gpgv-sq going forward.

After that migrates to testing next week, I want to make
the switch: APT by default should use gpgv-sq. Previous
discussions with the security team did not reveal any
blockers for that, despite the strenuous nature of
security updates for Rust packages.

This has been delayed. There's ongoing investigation into
sqv and sqopv, which are smaller verifiers from Sequoia,
measuring only 2MB and without an SQLite dependency, hence
saving about 6MB.

An sqv backend is now available in apt-team/apt!409 and in
experimental in apt 2.9.17+exp1.

Note that the experimental upload only supports architectures
with sqv available. There is no fallback yet.

The plan is to detect if sqv is available at build time, by
build-depending on sqv for the correct set of architectures,
and then generate a `Depends: sqv` for those architectures,
and `Depends: gpgv` for other (ports) architectures.

The sqv binary is about 2MB large when optimized for size,
and provides good feedback when a key cannot be verified.

The Sequoia sqv backend is now the default backend in unstable
for architectures that have it (all release architectures, most
ports).

2.9.19 also replaces internal GnuTLS and gcrypt use with OpenSSL,
and all use of GnuPG in the test suite with Sequoia's `sq` command.

There is a backwards-incompatible change: Signed-By can no
longer contain an exact subkey match (suffix "!"). That
information is - rightly so - not available in the sqv
output.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

-----BEGIN PGP SIGNATURE-----

wsG7BAABCgBvBYJnaUmDCRBvpFjdHbA/cUcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcme9vM9CGwsbqLIkTUXRuKcI2jHLd7LfdvmIyMwq3fM4 VhYhBE+1iKhMLd55p0x3h2+kWN0dsD9xAABPYw//UzwIl9Xil1Hj49Q3di6FAnlE X71jSHfOrmp1AjAr5fKhbJ9o/doUQPkcpFsRmEPaFnmxPObMo3wq0yadK1jXgopg 6wihV/PYGV4dYODqbImGBih5WZB1nUNK9WV5iX3+19q7fsiiN59TAE3SWAncRX5l uml930XKnzXGZS8/RXX2AB2Cli8HV9yD5Nuvx8TO2ROmaSEL5r+ugzgJ3FSsdLWA pePPBywMQSjTGMoATRRb9W6O3Cxa69j52GSRTB4lJ9BtcSZHUcS6YU8mis7Vcyvv O30D0K87sYFerRcOQ8T4Wrjh2Ho3eG2YtO2uCDP2cGKahouXHbv3nP3tm5usY7/+ /XlZL/JYAPCMXjJO70yOYDKy0TSzEmrOc6zzxRsnDfDYXT3fZSqRgXtRPx4JhDOu 9fwDgmUOrDacLJsAvikc7Wx/A+26npbZTL2hHJcLsHXgIffVvpR4cmMwlPM21i5d PaFNmcvye4kFuSCdWEIGmQc8lWKIQ5Im1RADjBl8UR378KrU23g6kODPbVO+KOAK VGiRIgD1KT92B1Z3g6P2UtqcGzy//9v/b8pRt8/28hUjaS5A+gw5mF3Tk3jxrXNR kTzEV7JHe+rrqgGicRgZbLzEvZlJQpH3Pu8ybgAtcl+OOhj8+kpN7Szbh6

On Mon, Dec 23, 2024 at 12:48:50PM +0100, Julian Andres Klode wrote:

i.e. we see a 9MB saving for essential+apt, and a 4MB saving
for a default mmdebstrap.

very nice!

Something still pulls in gpgv there
which is unfortunate, we lack a 5MB savings.

More savings can be achieved by building sqv using openssl,
then we stop pulling in nettle.

/me nods, something for 2025.

which reminds me something to share here: in the last weeks I've enabled
size optimisations for chameleon and sqv bringing down the sizes (in
bytes) from

6208216 /usr/bin/gpgv-sq
10780992 /usr/bin/gpg-sq
2958984 /usr/bin/sqv

to

4533016 /usr/bin/gpgv-sq
7319936 /usr/bin/gpg-sq
1718816 /usr/bin/sqv

with hardly an impact on performance.

Doing the same for sq is my agenda as well as packaging sq 1.0 :)


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

It's the end of the world as we know it - and I feel fine.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmdpVO8ACgkQCRq4Vgaa qhzsdxAAsqFmegeE4tWlNcfTuNAJ7LJCFKdQPjurRxyds4toW538preV/EaZoFQQ k7UFDkHf2sbuW9uyVSh51GuEagibTqSIl/UDPY8hXllvpw+ilVvG0fXExYi7pXQa JIAahiWpPmRgJJM8drfCrwZiZmUT3QpfnRbhKrjr1i9JfugFwNLVi45E0N15L9n4 BRVH90jc6PGFNBc40+w+YJq5H+A4cmBPw1zCw+/yEEq1UuERA3mTo9R3XlborVm2 iTIKmx6CYalEZM0SBpIMTL/ejqfMkeQlrHiTzpFZTs40jEsjndBo1Vvqnj4ujD0D mKIk0/MK9edvwpc+qD85nfkzOFpQUpRECE2t09l2lqB/bOhQEkfntfx5MCJJ0Gjk YH1PJRiTGcvdtrUdrpTR6YQ0PK6fk40b12JbyuxV1kuzHrk9bvGFhSb8ZmcpQDU2 RPKeZ7bzNEl5BiVzvzgUroojwFY7tSG/yRHLJwllKmWgeQarZ/SCymsqNDVJyerr pZmCmaevK3n8WfKSkfkG7SGK11zokxb/d5vUlcC3ice6EeUhrNce8OuiLPrNoJl1 mPWg04Hbon+aggLMg78h0rbYT6GFEQwgPT80VWDn5ensDeKRNAlbwe

* Julian Andres Klode <jak@debian.org> [241223 12:49]:

Something still pulls in gpgv there
which is unfortunate, we lack a 5MB savings.

dpkg-dev Depends: gpgv | sq | ...

That seems odd. Maybe it wants gpgv | sqv | ...
instead?

If its not dpkg-dev, I don't see whats pulling gpgv.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi!

On Mon, 2024-12-23 at 13:20:39 +0100, Chris Hofstaedtler wrote:

* Julian Andres Klode <jak@debian.org> [241223 12:49]:

Something still pulls in gpgv there
which is unfortunate, we lack a 5MB savings.

I think that would be gpgv being Priority: important, which makes
debootstrap and friends pull it in by default. I guess that might
need to be swapped now.

dpkg-dev Depends: gpgv | sq | ...

That seems odd. Maybe it wants gpgv | sqv | ...
instead?

I do have a branch to add support for sqv, should get in with the next
dpkg upload. And probably can now swap the order of preference there
too.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Dec 23, 2024 at 01:57:42PM +0100, Guillem Jover wrote:

Hi!

On Mon, 2024-12-23 at 13:20:39 +0100, Chris Hofstaedtler wrote:

* Julian Andres Klode <jak@debian.org> [241223 12:49]:

Something still pulls in gpgv there
which is unfortunate, we lack a 5MB savings.

I think that would be gpgv being Priority: important, which makes
debootstrap and friends pull it in by default. I guess that might
need to be swapped now.

This is being tracked in 1091200 (the demotion). I didn't suggest
a swap, after all, apt's dependencies will pull in the right one.

dpkg-dev Depends: gpgv | sq | ...

That seems odd. Maybe it wants gpgv | sqv | ...
instead?

I do have a branch to add support for sqv, should get in with the next
dpkg upload. And probably can now swap the order of preference there
too.

Sweet!

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Nov 24, 2024, at 6:23 PM, Paul Gevers wrote:

Hi,

On 11/24/24 17:22, Andrew M.A. Cater wrote:

5. If we're moving hardware baselines for the sake of Rust (or any other
software on this architecture) it's already too late.

Huh? Why?

[Putting my Release Team hat off] Personally I think Debian should be
raising the baseline for i386. I'm not sure about to which level, but
I've seen proposals in this thread.

Given that
1) we're no longer supporting i386 as a full architecture (no kernel, no installer, only in chroots or as multiarch)
2) we don't clearly have i386 porters
maybe we should seek consensus in this thread and go with that.

[Release Team hat on] I would take consensus for a decision on the topic.

been a month and a half now, with only pro voices in response to this (although not that many). how do we (want to) proceed? is this just a matter of the release time deciding that the baseline has been raised and communicating that, or is there some
formal process involved (i.e., should I file a bug somewhere with a concrete baseline proposal?)?

the next rustc release is in 6 days, the one after (which I also very much would like to land in Trixie, freeze timeline and policies permitting ;)) 6 weeks after that. if the baseline is raised I'd drop the corresponding patches in rustc (I already did
a test build of 1.83 and don't expect any immediate issues there), but the sooner I can do that the more time we have to handle fallout on the crate packages side (which is mostly dropping patches as well, since upstream normally conforms to stock
semantics, and not to the Debian i386 ones).

thanks for your consideration!
Fabian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)