Closed NicoHood closed 7 years ago
isislovecruft
commented
7 years ago Hi! Uh oh, the "python-gnupg" you're packaging isn't my python-gnupg. I think it may be Vinay Sajip's, in which case you have a version with a shell escape security vulnerability in it. This library was created because of that vuln, and is now entirely different to the thing you're packaging.
Sorry for the confusion! Please feel free to reopen if I can do something more to assist.
NicoHood
commented
7 years ago I also contacted the other library maintainer. He fixed this issue already. Maybe you can get in touch with him and work together on a single version. I've noticed you both have some additional features, so it might be worth working together. Due to compatibility I will not update the archlinux package, also because the other library is also still under development.
Hi, I am the packager of the ArchLinux Package of python-gnupg. I want to upgrade from version 0.4 to your version. Now I need your help:
I only want to provide packages with gpg signatures. I found that you provide them here. However those links are ugly long and I also trust the github source more. You could try to use gpgit to sign your sources automated and upload those to github. (Btw: I am thinking of porting and enhancing the tool with python, so your module will also be part/dependency of gpgit possibly soon).
The other question i have is what has changed since 0.4? Can you give me a short summary that I can present those who upgrade the package? This would help them port their code to the more up to date version (also myself).
Thanks :)