* Package name : python-gnupg-ng Version : 1.2.6 Upstream Author : Isis Lovecruft <isis@leap.se> * URL : https://github.com/isislovecruft/python-gnupg * License : GPL Programming Lang: Python Description : A Python wrapper for GnuPG A Python interface for handling interactions with GnuPG, including keyfile generation, keyring maintenance, import and export, encryption and decryption, sending to and recieving from keyservers, and signing and verification. .. This is a fork of python-gnupg (from version 0.3.2), patched to sanitize untrusted inputs, due to the necessity of executing subprocess.Popen([...], shell=True) in order to communicate with GnuPG. Several speed improvements were also made based on code profiling, and the API has been cleaned up to support an easier, more Pythonic, interaction.
Hi, Ben Carrillo <ben@futeisha.org> writes: Why exactly should shell=True be necessary? Ansgar
The upstream version claims to still be called python-gnupg. There is a python-gnupg package that hasn't been updated since 2014. How does this package fit in with the existing python-gnupg package? Thanks, Iain.
It turns out that shell=True (basically what started the fork) is not needed now. Vinay changed it in the latest release of the "original" python gnupg, which came after a bunch of CVEs and some comments in this thread as a result of python-gnupg-ng: http://seclists.org/oss-sec/2014/q1/303 The original reason for doing shell=True is/was commented on python-gnupg (original) code: without that, it didn't work in windows. So while it is true that Shell=True is not needed, python-gnupg-ng has other advantages: its more community based (it has a bugtracker and public repo, to begin with), the code has diverged from the original a bit in adding various gnupg functionality to the module, re-reading of the original having security and documentation in minde and improving the overall code quality. I'd argue that including this in Debian is a win because this one has: * Better gnupg options parsing * Better code structure. * Better documentation. * Open repo and bugtracker. Also - we have a package ready to upload for it.
Hi, micah anderson wrote (14 Aug 2014 21:12:03 GMT) : Where can I find this package? Cheers, -- intrigeri
intrigeri <intrigeri@debian.org> writes: It is available at: deb http://deb.leap.se/debian sid main as well as the git repository: git clone https://leap.se/git/python_gnupg-ng.git
Will be nice if python-gnupg-ng enters in debian. Besides my personal trust on the skills of the fork's maintainer, and her criteria on the need of rework it's security, the fact that the fork has an open active community I think fits better the debian way. Is there any blocker for it?
For the record, this package is now in NEW: https://ftp-master.debian.org/new/python-gnupg-ng_1.3.1-1.html I also support the inclusion of this package in the archive. A.
note that upstream is considering a rename: https://github.com/isislovecruft/python-gnupg/issues/47
retitle 754120 RFP: python-gnupg-ng -- A Python wrapper for GnuPG noowner 754120 tag 754120 - pending thanks Hi, A long time ago, you expressed interest in packaging python-gnupg-ng. Unfortunately, it seems that it did not happen. In Debian, we try not to keep ITP bugs open for a too long time, as it might cause other prospective maintainers to refrain from packaging the software. This is an automatic email to change the status of python-gnupg-ng from ITP (Intent to Package) to RFP (Request for Package), because this bug hasn't seen any activity during the last 12 months. If you are still interested in packaging python-gnupg-ng, please send a mail to <control@bugs.debian.org> with: retitle 754120 ITP: python-gnupg-ng -- A Python wrapper for GnuPG owner 754120 ! thanks It is also a good idea to document your progress on this ITP from time to time, by mailing <754120@bugs.debian.org>. If you need guidance on how to package this software, please reply to this email, and/or contact the debian-mentors@lists.debian.org mailing list. Thank you for your interest in Debian,
The development of this package has stalled while the original has continued. I am closing this because there are already enough python gnupg wrappers in Debian.