Hi, currently apt depends on debian-archive-keyring which depends on gnupg. It has been proposed to remove the latter dependency in #387688, this would save about 5 MB of disk space in a sid debootstrap.
I don't see how this bug could be fixed in debian-archive-keyring but think it should be fixed in apt instead. Anyhow, if a user would upgrade to debian-archive-keyring/Squeeze+1 without the gnupg dependency and still have apt/Squeeze installed during a partial upgrade, he or she could end up with a system that has no gpgv installed. There are some quite hackish ways involving versioned dependencies and/or conflicts to ensure a clean upgrade path if this bug will be fixed in Squeeze+1, the most clean one seems to me to make apt/Squeeze explicitly depend on gnupg. Thus I propose to make apt's implicit dependeny on gnupg explicit to be able to fix #387688 for Squeeze+1 and still provide a clean upgrade path from Squeeze. Would an apt upload with the following diff (plus changelog entry) get a freeze exception? If so, I'd like to ask the apt maintainers if they are willing to do such an upload. --- a/debian/control +++ b/debian/control @@ -12,7 +12,7 @@ Vcs-Bzr: http://bzr.debian.org/apt/debian-sid/ Package: apt Architecture: any -Depends: ${shlibs:Depends}, debian-archive-keyring, ${misc:Depends} +Depends: ${shlibs:Depends}, debian-archive-keyring, gnupg, ${misc:Depends} Replaces: manpages-pl (<< 20060617-3~) Provides: ${libapt-pkg:provides} Conflicts: python-apt (<< 0.7.93.2~) Thanks for considering Carsten P.S.: Of course, updating local keyrings (which is what apt-key update does) can't be done by a signature verification tool, so simply telling apt-key to use gpgv instead of gpg would not work. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
