* [wrynose][PATCH 0/2] gnupg update and fix outstanding CVE
@ 2026-06-30 13:03 Roland Kovacs
2026-06-30 13:03 ` [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs
2026-06-30 13:03 ` [wrynose][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs
0 siblings, 2 replies; 6+ messages in thread
From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw)
To: openembedded-core
In order to squash multiple smaller bugs, bump from version 2.5.17->2.5.20,
however that does not resolve CVE-2026-57062, so it is backported from gnupg
master.
Roland Kovacs (2):
gnupg: Upgrade 2.5.17 -> 2.5.20
gnupg: fix CVE-2026-57062
.../gnupg/gnupg/CVE-2026-57062.patch | 43 +++++++++++++++++++
.../{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 4 +-
2 files changed, 46 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (94%)
--
2.34.1
^ permalink raw reply [flat|nested] 6+ messages in thread* [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 2026-06-30 13:03 [wrynose][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs @ 2026-06-30 13:03 ` Roland Kovacs 2026-06-30 13:19 ` [OE-core] " Yoann Congal 2026-06-30 13:03 ` [wrynose][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs 1 sibling, 1 reply; 6+ messages in thread From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw) To: openembedded-core Bug fixes included in this release: - gpg: Fix wrong assertion failure which could very rarely occur during key signature checking. [rG693f5642f6] - gpg: Consider certify-only keys for revocation signature check. [T8196] - gpgsm: Fix possible double free in the CMS parser. [T8240] - gpgsm: Fix possible too early removal of ephemeral keys. [T8236] - gpgsm: Avoid emitting a final FAILURE status line if --status-fd is not used. [rG69c27fe377] - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM data. [rG60a823c97b] - agent: Fix not using cache for pinentry loopback. [rGd4b608a31f] - agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e] - keyboxd: Mark keys searched but not imported via LDAP correctly as ephemeral. [T8048] - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA keys > 2k. [T8244] - dirmngr: Fix uninitialized use of the dns_any union in dns_rr_cmp. [T8251] Release-info: https://dev.gnupg.org/T7997 Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> --- .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%) diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb similarity index 95% rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb index fd6588769c..a1a50e2384 100644 --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even require drop-unknown-suffix.inc UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-use-pkgconfig-instead-of-npth-config.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for- file://relocate.patch" SRC_URI:append:class-nativesdk = " file://relocate.patch" -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d" +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6" EXTRA_OECONF = "--disable-ldap \ --disable-ccid-driver \ -- 2.34.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 2026-06-30 13:03 ` [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs @ 2026-06-30 13:19 ` Yoann Congal 2026-07-01 6:51 ` Roland Kovács 0 siblings, 1 reply; 6+ messages in thread From: Yoann Congal @ 2026-06-30 13:19 UTC (permalink / raw) To: roland.kovacs, openembedded-core On Tue Jun 30, 2026 at 3:03 PM CEST, Roland Kovács via lists.openembedded.org wrote: > Bug fixes included in this release: > - gpg: Fix wrong assertion failure which could very rarely occur > during key signature checking. [rG693f5642f6] > - gpg: Consider certify-only keys for revocation signature check. > [T8196] > - gpgsm: Fix possible double free in the CMS parser. [T8240] > - gpgsm: Fix possible too early removal of ephemeral keys. [T8236] > - gpgsm: Avoid emitting a final FAILURE status line if --status-fd > is not used. [rG69c27fe377] > - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM > data. [rG60a823c97b] > - agent: Fix not using cache for pinentry loopback. [rGd4b608a31f] > - agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e] > - keyboxd: Mark keys searched but not imported via LDAP correctly > as ephemeral. [T8048] > - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA > keys > 2k. [T8244] > - dirmngr: Fix uninitialized use of the dns_any union in > dns_rr_cmp. [T8251] > Release-info: https://dev.gnupg.org/T7997 > > Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> Sorry but that URL also contains: | New and extended features: | gpgsm: Implement GCM encryption. Note that decryption works since | version 2.3.2. [T3979] | gpgsm: New option --attribute and server command SETATTR to include | arbitrary signed or unsigned attributes into a signature. | Enabled only with libksba 1.7.0 or later. [T4537] | gpgsm: Introduce system attribute _signingCertificateV2. [rG0335a9cb04] ... which are new features, and thus, that upgrade is not acceptable for stable branches. > --- > .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%) > > diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb > similarity index 95% > rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb > rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb > index fd6588769c..a1a50e2384 100644 > --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb > +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb > @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even > require drop-unknown-suffix.inc > > UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" > +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" > SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ > file://0002-use-pkgconfig-instead-of-npth-config.patch \ > file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ > @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for- > file://relocate.patch" > SRC_URI:append:class-nativesdk = " file://relocate.patch" > > -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d" > +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6" > > EXTRA_OECONF = "--disable-ldap \ > --disable-ccid-driver \ -- Yoann Congal Smile ECS ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 2026-06-30 13:19 ` [OE-core] " Yoann Congal @ 2026-07-01 6:51 ` Roland Kovács 2026-07-01 7:48 ` Yoann Congal 0 siblings, 1 reply; 6+ messages in thread From: Roland Kovács @ 2026-07-01 6:51 UTC (permalink / raw) To: openembedded-core@lists.openembedded.org, yoann.congal@smile.fr On Tue, 2026-06-30 at 15:19 +0200, Yoann Congal wrote: > On Tue Jun 30, 2026 at 3:03 PM CEST, Roland Kovács via lists.openembedded.org wrote: > > Bug fixes included in this release: > > - gpg: Fix wrong assertion failure which could very rarely occur > > during key signature checking. [rG693f5642f6] > > - gpg: Consider certify-only keys for revocation signature check. > > [T8196] > > - gpgsm: Fix possible double free in the CMS parser. [T8240] > > - gpgsm: Fix possible too early removal of ephemeral keys. [T8236] > > - gpgsm: Avoid emitting a final FAILURE status line if --status-fd > > is not used. [rG69c27fe377] > > - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM > > data. [rG60a823c97b] > > - agent: Fix not using cache for pinentry loopback. [rGd4b608a31f] > > - agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e] > > - keyboxd: Mark keys searched but not imported via LDAP correctly > > as ephemeral. [T8048] > > - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA > > keys > 2k. [T8244] > > - dirmngr: Fix uninitialized use of the dns_any union in > > dns_rr_cmp. [T8251] > > Release-info: https://dev.gnupg.org/T7997 > > > > Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> > > Sorry but that URL also contains: > > New and extended features: > > gpgsm: Implement GCM encryption. Note that decryption works since > > version 2.3.2. [T3979] > > gpgsm: New option --attribute and server command SETATTR to include > > arbitrary signed or unsigned attributes into a signature. > > Enabled only with libksba 1.7.0 or later. [T4537] > > gpgsm: Introduce system attribute _signingCertificateV2. [rG0335a9cb04] > ... which are new features, and thus, that upgrade is not acceptable for > stable branches. > Understood. Just for clarification, only bug fix release is accepted for stable branch, even if there's no backwards incompatible change? I'll remove the recipe update and only keep the CVE fix in V2. > > --- > > .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%) > > > > diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes- > > support/gnupg/gnupg_2.5.20.bb > > similarity index 95% > > rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb > > rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb > > index fd6588769c..a1a50e2384 100644 > > --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb > > +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb > > @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even > > require drop-unknown-suffix.inc > > > > UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" > > +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" > > SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ > > file://0002-use-pkgconfig-instead-of-npth-config.patch \ > > file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ > > @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " > > file://0001-configure.ac-use-a-custom-value-for- > > file://relocate.patch" > > SRC_URI:append:class-nativesdk = " file://relocate.patch" > > > > -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d" > > +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6" > > > > EXTRA_OECONF = "--disable-ldap \ > > --disable-ccid-driver \ > Cheers, Roland ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 2026-07-01 6:51 ` Roland Kovács @ 2026-07-01 7:48 ` Yoann Congal 0 siblings, 0 replies; 6+ messages in thread From: Yoann Congal @ 2026-07-01 7:48 UTC (permalink / raw) To: Roland Kovács; +Cc: Patches and discussions about the oe-core layer [-- Attachment #1: Type: text/plain, Size: 4147 bytes --] Le mer. 1 juil. 2026, 08:51, Roland Kovács <roland.kovacs@est.tech> a écrit : > On Tue, 2026-06-30 at 15:19 +0200, Yoann Congal wrote: > > On Tue Jun 30, 2026 at 3:03 PM CEST, Roland Kovács via > lists.openembedded.org wrote: > > > Bug fixes included in this release: > > > - gpg: Fix wrong assertion failure which could very rarely occur > > > during key signature checking. [rG693f5642f6] > > > - gpg: Consider certify-only keys for revocation signature check. > > > [T8196] > > > - gpgsm: Fix possible double free in the CMS parser. [T8240] > > > - gpgsm: Fix possible too early removal of ephemeral keys. [T8236] > > > - gpgsm: Avoid emitting a final FAILURE status line if --status-fd > > > is not used. [rG69c27fe377] > > > - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM > > > data. [rG60a823c97b] > > > - agent: Fix not using cache for pinentry loopback. [rGd4b608a31f] > > > - agent: Fix command PUT_SECRET by saving input line. > [rG1875bc185e] > > > - keyboxd: Mark keys searched but not imported via LDAP correctly > > > as ephemeral. [T8048] > > > - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA > > > keys > 2k. [T8244] > > > - dirmngr: Fix uninitialized use of the dns_any union in > > > dns_rr_cmp. [T8251] > > > Release-info: https://dev.gnupg.org/T7997 > > > > > > Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> > > > > Sorry but that URL also contains: > > > New and extended features: > > > gpgsm: Implement GCM encryption. Note that decryption works since > > > version 2.3.2. [T3979] > > > gpgsm: New option --attribute and server command SETATTR to include > > > arbitrary signed or unsigned attributes into a signature. > > > Enabled only with libksba 1.7.0 or later. [T4537] > > > gpgsm: Introduce system attribute _signingCertificateV2. > [rG0335a9cb04] > > ... which are new features, and thus, that upgrade is not acceptable for > > stable branches. > > > Understood. Just for clarification, only bug fix release is accepted for > stable branch, even if > there's no backwards incompatible change? > Yes, that's right. No new features, no enhancement, only bug/security fixes. > I'll remove the recipe update and only keep the CVE fix in V2. > Sounds good, thanks! > > > > --- > > > .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 > ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} > (95%) > > > > > > diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb > b/meta/recipes- > > > support/gnupg/gnupg_2.5.20.bb > > > similarity index 95% > > > rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb > > > rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb > > > index fd6588769c..a1a50e2384 100644 > > > --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb > > > +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb > > > @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig > upstream-version-is-even > > > require drop-unknown-suffix.inc > > > > > > UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" > > > +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" > > > SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ > > > file://0002-use-pkgconfig-instead-of-npth-config.patch \ > > > file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ > > > @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " > > > file://0001-configure.ac-use-a-custom-value-for- > > > file://relocate.patch" > > > SRC_URI:append:class-nativesdk = " file://relocate.patch" > > > > > > -SRC_URI[sha256sum] = > "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d" > > > +SRC_URI[sha256sum] = > "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6" > > > > > > EXTRA_OECONF = "--disable-ldap \ > > > --disable-ccid-driver \ > > > > Cheers, > Roland > [-- Attachment #2: Type: text/html, Size: 7084 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* [wrynose][PATCH 2/2] gnupg: fix CVE-2026-57062 2026-06-30 13:03 [wrynose][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs 2026-06-30 13:03 ` [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs @ 2026-06-30 13:03 ` Roland Kovacs 1 sibling, 0 replies; 6+ messages in thread From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw) To: openembedded-core CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> --- .../gnupg/gnupg/CVE-2026-57062.patch | 43 +++++++++++++++++++ meta/recipes-support/gnupg/gnupg_2.5.20.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch new file mode 100644 index 0000000000..f298b6e9a8 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch @@ -0,0 +1,43 @@ +From d586f50ee849c8cbeaea47b50c64446c1becbf9b Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Thu, 18 Jun 2026 10:51:34 +0200 +Subject: [PATCH] gpgsm: Require a minimum tag length for GCM decryption. + +* sm/decrypt.c (gpgsm_decrypt): Require a minimum authtaglen. +-- + +Reported-by: Thai Duong <thai@calif.io> +This is similar to OpenSSL's +CVE-id: CVE-2026-34182 + +CVE: CVE-2026-57062 +Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4] + +Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> +--- + sm/decrypt.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sm/decrypt.c b/sm/decrypt.c +index 20fb96060..92a33c6e6 100644 +--- a/sm/decrypt.c ++++ b/sm/decrypt.c +@@ -1447,7 +1447,14 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t out_fp) + } + if (DBG_CRYPTO) + log_printhex (authtag, authtaglen, "Authtag ...:"); +- rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen); ++ if (authtaglen < 12) ++ { ++ log_info ("authentication tag is too short (%zu octets)\n", ++ authtaglen); ++ rc = gpg_error (GPG_ERR_CHECKSUM); ++ } ++ else ++ rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen); + xfree (authtag); + if (rc) + log_error ("data is not authentic: %s\n", gpg_strerror (rc)); +-- +2.34.1 + diff --git a/meta/recipes-support/gnupg/gnupg_2.5.20.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb index a1a50e2384..e373265c48 100644 --- a/meta/recipes-support/gnupg/gnupg_2.5.20.bb +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb @@ -20,6 +20,7 @@ SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-use-pkgconfig-instead-of-npth-config.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ + file://CVE-2026-57062.patch \ " SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ file://relocate.patch" -- 2.34.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-07-01 7:48 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-30 13:03 [wrynose][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs 2026-06-30 13:03 ` [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs 2026-06-30 13:19 ` [OE-core] " Yoann Congal 2026-07-01 6:51 ` Roland Kovács 2026-07-01 7:48 ` Yoann Congal 2026-06-30 13:03 ` [wrynose][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox