Hi all,
I'm pleased to announce the release of version 0.31.0 of
sequoia-ipc.
I have published sequoia-ipc on crates.io:
https://crates.io/crates/sequoia-ipc
You can also fetch version 0.31.0 using the ipc/v0.31.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/ipc/v0.31.0
which I signed:
$ git verify-tag ipc/v0.31.0
gpg: Signature made Fri Oct 27 16:39:49 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This is a bug fix release.
The most noticeable fix is that using gpg-agent is now more robust.
One problem was that when using a key managed by gpg-agent, e.g., from
the chameleon, our gpg reimplementation, or from the octopus, our
OpenPGP implemenation for Thunderbird, the first interaction would
sometimes fail.
https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupghttps://gitlab.com/sequoia-pgp/sequoia-octopus-librnp
This has been improved in these commit:
https://gitlab.com/sequoia-pgp/sequoia/-/commit/648858b7b8ce1db35a6f5f4a993…https://gitlab.com/sequoia-pgp/sequoia/-/commit/c5670ce4958a33c4a7c3b861bdb…
We also added support for GnuPG's loopback pinentry mode.
Neal on behalf of the whole Sequoia PGP team
Hi all,
I'm pleased to announce the release of version 1.17.0 of
sequoia-openpgp, our low-level OpenPGP library.
I have published sequoia-openpgp on crates.io:
https://crates.io/crates/sequoia-openpgp
You can also fetch version 1.17.0 using the openpgp/v1.17.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.17.0
which I signed:
$ git verify-tag openpgp/v1.17.0
gpg: Signature made Fri Oct 27 09:21:43 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This release includes significant testing improvements, infrastructure
upgrades, new functionality, performance increases, and a number of
minor bug fixes.
# Testing Improvements
This release includes a new "null" crypto backend, which faciliates
fuzzing:
https://gitlab.com/sequoia-pgp/sequoia/-/commit/a4c2b9f50a9f6e6539154eb3bce…
Fuzzing works by passing invalid or malformed input to a function to
uncover defects. As decryption and signature verification is highly
sensitive to malformed input, the cryptography routines would quickly
reject malformed input, which prevented the fuzzer from exercising the
non-crypto related code.
The null crypto backend faciliates fuzzing by accepting pretty much
anything. Specifically, it uses a highly optimized version of double
ROT-13 to encrypt and decrypt data, and indicates that all signatures
are valid. This fuzzing uncovered a bug, which has also been fixed:
https://gitlab.com/sequoia-pgp/sequoia/-/commit/3c76d468060a02b0aa129308bc4…
There is also a new framework to detect secrets that are leaked to the
heap or stack. This happens when memory that stores a secret is not
erased after it is deallocated. Erasing secrets can help prevent
heartbleed-style attacks.
https://heartbleed.com/
See, in particular, this commit for a lot of technical details and a
description of the approach:
https://gitlab.com/sequoia-pgp/sequoia/-/commit/c62fb995baee091ef6009a06068…
The good news is that most crypto backends are good at protecting
their secrets. One issue was reported to the Rust aes crate, and a
partial fix has since been committed:
https://github.com/RustCrypto/block-ciphers/issues/385
# Infrastructure Upgrades
On the infrastructure side, we now use Sequoia git to enforce a
signing policy:
https://gitlab.com/sequoia-pgp/sequoia/-/commit/18dd64b9548ad151fdfa0ec8f67…
Sequoia git is a new tool that we've been working on to simplify the
articulation and verification of a signing policy:
https://gitlab.com/sequoia-pgp/sequoia-git
The basic idea is that a file, `openpgp-policy.toml`, is added to a
git repository. It contains a list of who is authorized to add
commits, sign tags, and change the policy. The `sq-git` CLI can then
be used to ensure that a version (e.g., a commit) is an authorized
derivation in the sense that each change made since an earlier, known
good version (the trust root) is consistent with a parent commit's
signing policy. More details are in the specification:
https://sequoia-pgp.gitlab.io/sequoia-git/
Using this tool, downstream users can detect changes that were not
authorized by the upstream developers, e.g., modifications by a
package registry, a forge, or some other machine in the middle.
Using the commit where the signing policy was added as our trust root,
we can authenticate all commits up to the openpgp/v1.17.0 tag:
$ sq-git log --trust-root 18dd64b9 openpgp/v1.17.0 && echo Authenticated.
81d59e96ea37083b187909f12d298e5196c65130..65448ef8932cc8136b67445267e0f9849b7395c0: neal [74E445BA0E15C957]
...
Authenticated.
# New Functionality
Sequoia now includes better support for early v4 certificates. These
certificates often lacked a key flags subpacket. Previously, Sequoia
would consider these certificates to be unusable, as it concluded the
keys had no capabilities. Now, Sequoia more closely matches the
behavior of other implementations by inferring the key flags from the
algorithm, and the key's role (i.e., whether it is a primary key or a
subkey). See:
https://gitlab.com/sequoia-pgp/sequoia/-/commit/9e48a064e55e5ee61bc8caf6d7d…
This release adds support for Camellia and DSA to the Rust Crypto
backend:
https://gitlab.com/sequoia-pgp/sequoia/-/commit/e2cb5bafb95fea51328238acac9…https://gitlab.com/sequoia-pgp/sequoia/-/commit/13d56eddcaa3925fb3bfa8ef422…
Note: the algorithms supported by each of the backends is listed on
the status page:
https://sequoia-pgp.org/status/
Sequoia now also uses SHA-1 CD in place of SHA-1 everywhere.
https://gitlab.com/sequoia-pgp/sequoia/-/commit/5188c044b9f6645dd05a0918d4a…
# Performance Increases
Generating a certificate is now much faster. Previously, the
certificate was canonicalized after each key was added. For a
certificate with a primary key and two subkeys, this means that it was
canonicalized three times. Each time a certificate is canonicalized,
all of the signatures are checked. Now, the certificate is only
canonicalized once, at the end.
https://gitlab.com/sequoia-pgp/sequoia/-/commit/4a2c51173f9dc48ebd864998238…
Neal on behalf of the whole Sequoia PGP team
Hi all,
I'm pleased to announce the release of version 1.3.0 of
buffered-reader, an enhanced version of the `BufRead` trait from
Rust's standard library.
https://doc.rust-lang.org/stable/std/io/trait.BufRead.html
I have published buffered-reader on crates.io:
https://crates.io/crates/buffered-reader
You can also fetch version 1.3.0 using the buffered-reader/v1.3.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.3.0
which I signed:
$ git verify-tag buffered-reader/v1.3.0
gpg: Signature made Thu Oct 26 17:05:24 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This release includes two new constructors, `File::new` and
`File::new_with_cookie`, which wrap `std::fs::File`. These interfaces
allow for some low-level manipulation of the File object before it is
wrapped. For instance, it is possible to stat(2) the file to get the
file size, or to implement metadata-based caching. For more details,
please see:
https://docs.rs/buffered-reader/1.3.0/buffered_reader/struct.File.html#meth…
Neal on behalf of the whole Sequoia PGP team
Hi all,
I'm pleased to announce the release of version 1.16.1 of
sequoia-openpgp, our low-level OpenPGP library.
I have published sequoia-openpgp on crates.io:
https://crates.io/crates/sequoia-openpgp
You can also fetch version 1.16.1 using the openpgp/v1.16.1 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.16.1
which I signed:
$ git verify-tag openpgp/v1.16.1
gpg: Signature made Tue Sep 26 11:27:04 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This is a minor bug fix release. Unfortunately, due to a limitation
in cargo's dependency resolver, it is not possible to ensure that two
dependencies use the same version of a third crate. With the recent
release of win-crypto-ng, this leads a build failure when compiling
sequoia-openpgp with an up-to-date Cargo.lock file.
The specific problem is:
- ed25519-dalek version 1.0.1 depends on rand_core 0.5;
- the latest release of win-crypto-ng (0.5.1) depends on rand_core
0.5 or 0.6;
- cargo compiles ed25519-dalek against rang_core 0.5, and
win-crypto-ng against rand_core 0.6;
- sequoia-openpgp passes an object returned by win-crypto-ng to
ed25519-dalek;
- ed25519-dalek requires that that object implement a trait exported
by rand_core;
- rustc (correctly) considers the trait from rand_core 0.5 to be
different from the trait with the same name from rand_core 0.6,
and complains.
This can be fixed by manually running:
cargo update -p win-crypto-ng --precise 0.5.0
This forces the use of an old version of win-crypto-ng. As it is
tricky for end users to figure out that this is necessary, 1.16.1
forces the use of win-crypto-ng 0.5.0.
See https://gitlab.com/sequoia-pgp/sequoia/-/issues/1052 for more
details. Thanks to Jens Reimann for reporting the issue.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 0.31.0 of Sequoia sq, our
general-purpose command-line tool for Sequoia PGP.
We have released sequoia-sq on crates.io:
https://crates.io/crates/sequoia-sq
You can also fetch version 0.31.0 using the v0.31.0 tag:
https://gitlab.com/sequoia-pgp/sequoia-sq/-/tags/v0.31.0
which has been signed by Neal H. Walfield:
$ git verify-tag v0.31.0
gpg: Signature made 2023-07-05T14:21:36 CEST
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [full]
gpg: aka "Neal H. Walfield <neal(a)pep-project.org>" [full]
gpg: aka "Neal H. Walfield <neal(a)sequoia-pgp.org>" [full]
gpg: aka "Neal H. Walfield <neal(a)gnupg.org>" [full]
gpg: aka "Neal H. Walfield <neal(a)pep.foundation>" [full]
This release introduces a few changes to the commandline interface as well as a
new feature.
Most notably, it is now possible to create and attach new subkeys to existing
certificates using `sq key subkey add`.
The revocation commands below `sq revoke` have been split up and moved to `sq
key revoke`, `sq key subkey revoke` and `sq key userid revoke`.
The `--expires` and `--expires-in` parameters have been unified as `--expiry`.
The command for generating new certificates (`sq key generate`) now uses the
more generalized `--output` instead of `--export` for writing to file.
More information is available here:
https://sequoia-pgp.org/blog/2023/07/05/202307-sq-commandline-improvements/
David on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 0.30.1 of Sequoia sq,
our general-purpose command-line tool for Sequoia PGP.
I have published sequoia-sq on crates.io:
https://crates.io/crates/sequoia-sq
You can also fetch version 0.30.1 using the v0.30.1 tag:
https://gitlab.com/sequoia-pgp/sequoia-sq/-/tags/v0.30.1
which I signed:
$ git verify-tag v0.30.1
gpg: Signature made Wed May 31 10:58:07 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This release of sq was primarily motivated by the recently fixed,
low-severity vulnerabilities in sequoia-openpgp, buffered-reader, and
sequoia-autocrypt. More information is available here:
https://lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.or…https://lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.or…
All versions of sq are affected. We recommend upgrading to 0.30.1, or
ensuring that the dependencies are up to date and recompiling:
$ cd ../sequoia-sq
$ cargo update -p sequoia-openpgp
$ cargo update -p buffered-reader
$ cargo update -p sequoia-autocrypt
$ cargo build --release
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 7.3.0 of the nettle
crate.
Justus published nettle on crates.io:
https://crates.io/crates/nettle-rs
You can also fetch version 7.3.0 using the v7.3.0 tag:
https://gitlab.com/sequoia-pgp/nettle-rs/-/tags/v7.3.0
which he signed:
$ git verify-tag v7.3.0
gpg: Signature made Tue May 16 12:30:14 2023 +02:00
gpg: using RSA key 256A4E55E4A72D97AD2468E788DC7E33385F791D
gpg: Good signature from "Justus Winter <justus(a)sequoia-pgp.org>" [full]
gpg: "<teythoon(a)uber.space>"
gpg: "Justus Winter"
gpg: "Justus Winter <justus(a)gnupg.org>"
gpg: "Justus Winter <justus(a)pep.foundation>"
gpg: "Justus Winter <justuswinter(a)gmx.de>"
gpg: "Justus Winter <teythoon(a)avior.uberspace.de>"
This adds support for OCB.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 2.2.0 of the nettle-sys
crate.
Justus published nettle-sys on crates.io:
https://crates.io/crates/nettle-sys
You can also fetch version 2.2.0 using the v2.2.0 tag:
https://gitlab.com/sequoia-pgp/nettle-sys/-/tags/v2.2.0
which he signed:
$ git verify-tag v2.2.0
gpg: Signature made Tue May 16 10:47:23 2023 +02:00
gpg: using RSA key 256A4E55E4A72D97AD2468E788DC7E33385F791D
gpg: Good signature from "Justus Winter <justus(a)sequoia-pgp.org>" [full]
gpg: "<teythoon(a)uber.space>"
gpg: "Justus Winter"
gpg: "Justus Winter <justus(a)gnupg.org>"
gpg: "Justus Winter <justus(a)pep.foundation>"
gpg: "Justus Winter <justuswinter(a)gmx.de>"
gpg: "Justus Winter <teythoon(a)avior.uberspace.de>"
This adds support for OCB, which was added to Nettle version 3.9. And,
it fixes a bug when statically linking.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
sequoia-autocrypt contains a parser bug, which an attacker can exploit
to cause the library to panic.
sequoia-autocrypt incorrectly indexes a UTF-8 string using byte
indices instead of grapheme cluster indices. This subtlety is
discussed here:
https://doc.rust-lang.org/book/ch08-02-strings.html#slicing-strings
This bug can be exploited by an attacker to cause a program that uses
an affected version of sequoia-autocrypt to crash. The attacker is
not, however, able to read from or write to the process's address
space. Consequently, we have classified this issues as low severity.
The fix is:
- autocrypt: Account for multi-byte characters when parsing a string.
It was found by Alexander Kjäll (capitol) and patched by
Neal H. Walfield.
0.25.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c1894b180ef3fea4d066f1fad24…
This issue is fixed in sequoia-autocrypt 0.25.1, which I published on
crates.io:
https://crates.io/crates/sequoia-autocrypt
You can also fetch version 0.25.1 using the autocrypt/v0.25.1 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/autocrypt%2Fv0.25.1
which I signed:
$ git verify-tag autocrypt/v0.25.1
gpg: Signature made Mon May 22 11:15:33 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
sequoia-openpgp and buffered-reader contain several bugs, which an
attacker can exploit to cause the libraries to panic.
The bugs are all parsing errors. Attacker-controlled input can cause
different parsers to access an array using an out-of-range array
index. Because, Rust detects the use of out-of-range indices, and
panics, these bugs can be exploited by an attacker to cause a program
that uses an affected version of sequoia-openpgp or buffered-reader to
crash, but they are not able to read from or write to the process's
address space. Consequently, we have classified these issues as low
severity.
With one exception, the issues are all present in sequoia-openpgp and
buffered-reader since their initial 1.0 releases. We recommend
upgrading.
The errors are:
- buffered-reader: Fix returning partial reads ending in errors.
Found independently by Justus Winter and kpcyrd, patched by Justus
Winter.
1.2.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/f6307652fb2cbf4e0fbd3f897b1…
1.1.5: https://gitlab.com/sequoia-pgp/sequoia/-/commit/7507807dce6b87e7a1397a6414b…
1.0.2: https://gitlab.com/sequoia-pgp/sequoia/-/commit/4b02ccc1d1dcd5a105d4bb6fd32…
- openpgp: Fix crash in the packet parser.
Found independently by Paul Schaub (vanitasvitae) and Alexander
Kjäll (capitol), patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/b9badbdd2e9bd996fa6afd8187f…
1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/e6ea6cbe12598ec50a07af4bf19…
1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/17e7c8c5f5960ea05b68cbbbc27…
- openpgp: Fix a crash related to stray signatures.
Found by Justus Winter, patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/cce50ad4f3645011b5f8b473f6e…
1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c6cc5f4bfb6bfb55def8bce4ffe…
1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/789b0d0698d65b6372c563c36d7…
- openpgp: Fix a crash in the Cleartext Signature Framework.
This error was introduced in 1.11.0.
Found by Justus Winter, patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/586bde682c0525175c03f9eb847…
1.8.1: Not impacted.
1.1.1: Not impacted.
- openpgp: Fix a crash in the Cleartext Signature Framework.
Found by Justus Winter, patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c82beb9b30ec77b6edc291516bb…
1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/976695ea2be6b6772b41adb72aa…
1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/93b16c32e50b69962fef2380342…
- openpgp: Fix mapping of synthetic packets.
Found by Justus Winter, patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/b6388f0906315d2de7164bae36f…
1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/da12da88fb9d27d11b0b347ab5a…
1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/43532470f25d1df39f5ca704cd9…
The backstory of these issues is that the first issue was found by
Paul Schaub (vanitasvitae). Independently, Justus Winter, Alexander
Kjäll (capitol), and kpcyrd fuzzed the sequoia-openpgp library, and
discovered additional issues.
The sequoia-openpgp related issues are fixed in sequoia-openpgp
1.16.0, which I published on crates.io:
https://crates.io/crates/sequoia-openpgp
You can also fetch version 1.16.0 using the openpgp/v1.16.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.16.0
which I signed:
$ git verify-tag openpgp/v1.16.0
gpg: Signature made Tue May 16 12:46:41 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
I've backported these fixes to 1.1.0, which is the version that is
shipped by Debian stable, and released it as version 1.1.1.
I've published version 1.1.1 on crates.io, and you can fetch it using
the openpgp/v1.1.1 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.1.1
which I signed:
$ git verify-tag openpgp/v1.1.1
gpg: Signature made Tue May 16 15:08:46 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
I also backported these fixes to 1.8.0, which is the version that is
in Debian Testing, and will go into the next version of Debian Stable.
I released it as version 1.8.1
I've published version 1.8.1 on crates.io, and you can fetch it using
the openpgp/v1.8.1 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.8.1
which I signed:
$ git verify-tag openpgp/v1.8.1
gpg: Signature made Wed May 17 10:19:35 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
The buffered-reader related issue is fixed in buffered-reader 1.2.0,
which I published on crates.io:
https://crates.io/crates/buffered-reader
You can also fetch version 1.2.0 using the buffered-reader/v1.2.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.2.0
which I signed:
$ git verify-tag buffered-reader/v1.2.0
gpg: Signature made Wed May 17 13:34:13 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
I also backported these fixes to 1.0.1, which is the version that is
in Debian Stable. I released it as version 1.0.2.
I've published version 1.0.2 on crates.io, and you can fetch it using
the buffered-reader/v1.0.2 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.0.2
which I signed:
$ git verify-tag buffered-reader/v1.0.2
gpg: Signature made Fri May 19 15:33:25 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
I also backported these fixes to 1.1.4, which is the version that is
in Debian Testing, and will go into the next version of Debian Stable.
I released it as version 1.1.5.
I've published version 1.1.5 on crates.io, and you can fetch it using
the buffered-reader/v1.1.5 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.1.5
which I signed:
$ git verify-tag buffered-reader/v1.1.5
gpg: Signature made Fri May 19 14:26:17 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
Neal on behalf of the whole Sequoia PGP team