On Tue, Mar 29, 2011 at 18:32, Carsten Hey <[email protected]> wrote: > please drop apt's dependency on gnupg. > > There has already been some discussion in related bugs #387688 and > #558784.
How do we move forward if d-a-k as well as APT do not depend on gnupg anymore while d-a-k in its current state needs it to add its keys to the trusted.gpg file through apt-key? For me a plan looks more like: - switch all keyring packages to store their keyrings in the new (=squeeze supports it) trusted.gpg.d directory - at best even more fragments if it makes sense, e.g. oldstable keys in an other file than the one for testing. Links are fine, too. - all keyrings recommend gpgv as thats enough for APT to check the signature, or depend on gpgv - depends on (pun intended) if you want to be able to use the keyring without APT or not… - remove the gnupg dependency from APT (- remove the apt dependency from all keyring packages) (- downgrade APTs d-a-k dependency to a recommend) - close all three bugs mentioned in this bugreport here I tried to convert the debian-archive-keyring recently, but failed at the attempt to split the keyring into different files - but yeah, ultimately, you (as in debian) shouldn't trust a patch from someone without an official status like me anyway in such a security sensitive context, so feel free to make it happen yourself: i would be happy about it at least (beside that I have done the split on my local machine by hand for testing proposes anyway). Best regards David Kalnischkies -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
