On Mon, Sep 08, 2003 at 12:49:33PM -0500, Adam Heath wrote: > On Mon, 8 Sep 2003, Matt Zimmerman wrote: > > > I'm wary of a Depends: on gnupg, since apt is fully functional without it. > > We should definitely ship some keys by default, but if we ship them in the > > form of a gnupg keyring, rather than exported keys, I think we can avoid the > > dependency and just copy the keyring into place (assuming that gnupg > > keyrings are reasonably portable across versions). > > Jason said years ago that he was going to add dlopen support to apt. He never > did. If apt could suddenly load external modules, then apt-secure could be a > separate deb, that depended on gpg, and debian-keyring.
The only part which actually invokes gpg is the gpgv method, which is already in a separate binary from the rest of apt. The trouble is that if they don't have it installed, apt would not be able to verify any signatures and would complain every time a package is to be installed. Maybe it should not even try to verify anything if it finds that gpg is not installed? -- - mdz
