Page MenuHomePureOS Tracker

poldi: does not suppor ECC-based GPG keys
Open, NormalPublic

Description

Commit 9fed47b enables the use of ECC curve-based GPG keys by the Librem Key for PAM-based operations (logging in, sudo, etc.) This change was committed over two years ago (14 April 2019). Given that RSA keys will become increasingly vulnerable, it would be good to get this in.

Event Timeline

PureOS 10 has

Package: libpam-poldi
Source: poldi (0.4.2+git20161115.553060d-1)
Version: 0.4.2+git20161115.553060d-1+b1

This is the same as Debian (Buster, Bullseye, Sid).

I cannot find "commit x"

jeremiah.foster triaged this task as Normal priority.Jun 2 2021, 08:15
brianj added a comment.Jun 2 2021, 08:19

Understood that you're at the same commit level as Debian. I don't understand why they haven't applied that commit either. My thought was that I'd have better luck filing the request in PureOS's tracker rather than Debian's, because this materially affects the use of the Librem Key.

And I have no idea why/how the commit number was removed from my comment, but here's a link to the actual commit itself:

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=poldi.git;a=commit;h=9fde47b49dbdfb6a3308c7c62c487527fc0c43ed

Thanks!

In general I feel it's better that we receive into PureOS Debian packages as maintained by our upstream, namely Debian. It gives me pause that in this case, the maintainer of libpam-poldi and the person doing a lot of commits in the GitHub mirror are the same person: https://github.com/gpg/poldi/commits/master I don't know what it means that the package hasn't been updated in Debian - does the maintainer not have enough time? Is the patch still undergoing testing?

brianj added a comment.Jun 2 2021, 10:17

I'm not sure if it's still undergoing testing. I can tell you that Nitrokey is referencing it here:

https://www.nitrokey.com/documentation/applications#os:linux&a:computer-login&p:nitrokey-pro

There's a section at the bottom of the "Computer Login" section linking directly to the patch. I'll confess to some curiosity as to why it's been left in limbo so long myself.

I find it unlikely that the Debian maintainer will join discussions here, and they are most suitable to address this issue.
Therefore I urge you to please fike a bugreport in Debian and discuss it there.

brianj added a comment.Jun 2 2021, 12:52

After digging through the Debian bug logs, they have a bug already filed under a similar title whose fix would cover this as well.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922049

I don't know if you all want to leave this open to track that bug, or if you want to mark as resolved since this is essentially a duplicate of the upstream bug. Either way works for me.

Thanks!

Makes sense to keep it open, I guess - but I don't expect much will happen here except keeping an eye on progress of this issue in Debian.

jonas.smedegaard renamed this task from Include commit 9fde47b for poldi package to poldi: does not suppor ECC-based GPG keys.Jun 2 2021, 15:25