Bug#801381: debian-archive-keyring: Depend/Recommend gnupg2 and gpgv2?
Hi Adam, 2017-08-18 21:59 GMT+02:00 Adam D. Barratt : > > I've therefore pushed the removal of the dependencies from the .deb > package for the next upload. (The udeb has a Recommends on gpgv-udeb, > but I don't know the installer environment well enough to be happy > touching that right now.) Looks like a good solution, thanks! -- Manuel A. Fernandez Montecelo
Bug#801381: debian-archive-keyring: Depend/Recommend gnupg2 and gpgv2?
Control: tags -1 + pending On Tue, 2017-08-15 at 17:07 +0100, Adam D. Barratt wrote: > On 2017-08-15 15:37, Daniel Kahn Gillmor wrote: > > I'm not even sure i understand why debian-archive-keyring Depends: gpgv > > -- the package's goal is to provide the archive keyring to enable > > OpenPGP validation, but the package itself doesn't appear to require > > gpgv in any way. Presumably the packages that need to *do* OpenPGP > > validation will Depend: gpgv (or whatever other OpenPGP validator tool > > they prefer to use). > > > > I recommend moving gpgv to Suggests: and and removing gnupg from the > > set > > The dependency was added as part of the changes in d-a-k 2012.1: > > [ David Kalnischkies ] For the record, I talked with David on IRC about this. When the dependency was originally added, apt did not depend on gpgv or gpg itself, as archive signing was very much optional, so d-a-k had to ensure that they were available directly. These days, apt has the required dependencies, so there's no need for them in d-a-k. I've therefore pushed the removal of the dependencies from the .deb package for the next upload. (The udeb has a Recommends on gpgv-udeb, but I don't know the installer environment well enough to be happy touching that right now.) Regards, Adam
Bug#801381: debian-archive-keyring: Depend/Recommend gnupg2 and gpgv2?
On Tue 2017-08-15 17:07:21 +0100, Adam D. Barratt wrote: > The dependency was added as part of the changes in d-a-k 2012.1: > > [ David Kalnischkies ] > * Ship each active key in a separate keyring in > /etc/apt/trusted.gpg.d/ > as conffiles for simpler usage of apt-secure(8). > * Remove all active keys from /etc/apt/trusted.gpg as they are > shipped > now as fragment files. > * Depend on gpgv and only recommend gnupg. (Closes: #387688) > > I've not looked at what happens with the current package if gpgv is not > available. "the current package" means debian-archive-keyring, right? So that's: Description-en: GnuPG archive keys of the Debian archive The Debian project digitally signs its Release files. This package contains the archive keys used for that. The only maintscript which even mentions gpg or gpgv is postinst, which has something for upgrades from 2012.1 (older than oldoldstable). And nothing else is shipped in debian-archive-keyring that would actually depend directly on gpgv. I don't think it belongs as a dependency here. We don't want to say "you must verify OpenPGP signatures made by these keys with GnuPG's gpgv", do we? If some other tool needs gpgv specifically, *it* should be the thing that states a dependency on gpgv. --dkg
Bug#801381: debian-archive-keyring: Depend/Recommend gnupg2 and gpgv2?
Hello, 2017-08-15 16:37 GMT+02:00 Daniel Kahn Gillmor : > Hi Manuel and maintainers of debian-archive-keyring, > > On Fri 2015-10-09 13:09:13 +0100, Manuel A. Fernandez Montecelo wrote: >> From DebConf, I got the imporession that we should start to move to >> gnupg2, and even if not gnupg2 seems perfectly stable nowadays and >> having to keep both installed seems unnecessary (I have to use v2 for >> other reasons). >> >> This package depends on and recommends gnupg and gpg, so I think that >> at least gnupg2 and gpgv2 should be added as an option. > > As one of the debian maintainers of GnuPG, please *do not* depend on the > gnupg2 or gpgv2 packages. For one thing, the gnupg and gpgv packages > are shipping the modern version of GnuPG these days anyway (2.1.x), and > the gnupg2 and gpgv2 packages are dummy/transitional packages (with the > exception of offering a symlinked name for the binaries in question). > > For another, i'm not convinced that debian-archive-keyring should > Recommend: gnupg at all. > > I'm not even sure i understand why debian-archive-keyring Depends: gpgv > -- the package's goal is to provide the archive keyring to enable > OpenPGP validation, but the package itself doesn't appear to require > gpgv in any way. Presumably the packages that need to *do* OpenPGP > validation will Depend: gpgv (or whatever other OpenPGP validator tool > they prefer to use). > > I recommend moving gpgv to Suggests: and and removing gnupg from the set > of dependencies entirely. I am fine with the solutions that you propose. My main concern when submitting this bug report was that gnupg-v1 was kept installed in my system due to this package (maybe among others), and an alternative dependency on -v2 should have worked fine for the purpose of this package, at the time. Now, a long time after than and "gnupg"/"gpgv" being based on v2, the original request doesn't make much sense, so please do whatever you consider best -- including closing it right away. Cheers. -- Manuel A. Fernandez Montecelo
Bug#801381: debian-archive-keyring: Depend/Recommend gnupg2 and gpgv2?
On 2017-08-15 15:37, Daniel Kahn Gillmor wrote: I'm not even sure i understand why debian-archive-keyring Depends: gpgv -- the package's goal is to provide the archive keyring to enable OpenPGP validation, but the package itself doesn't appear to require gpgv in any way. Presumably the packages that need to *do* OpenPGP validation will Depend: gpgv (or whatever other OpenPGP validator tool they prefer to use). I recommend moving gpgv to Suggests: and and removing gnupg from the set The dependency was added as part of the changes in d-a-k 2012.1: [ David Kalnischkies ] * Ship each active key in a separate keyring in /etc/apt/trusted.gpg.d/ as conffiles for simpler usage of apt-secure(8). * Remove all active keys from /etc/apt/trusted.gpg as they are shipped now as fragment files. * Depend on gpgv and only recommend gnupg. (Closes: #387688) I've not looked at what happens with the current package if gpgv is not available. Regards, Adam
Bug#801381: debian-archive-keyring: Depend/Recommend gnupg2 and gpgv2?
Hi Manuel and maintainers of debian-archive-keyring, On Fri 2015-10-09 13:09:13 +0100, Manuel A. Fernandez Montecelo wrote: > From DebConf, I got the imporession that we should start to move to > gnupg2, and even if not gnupg2 seems perfectly stable nowadays and > having to keep both installed seems unnecessary (I have to use v2 for > other reasons). > > This package depends on and recommends gnupg and gpg, so I think that > at least gnupg2 and gpgv2 should be added as an option. As one of the debian maintainers of GnuPG, please *do not* depend on the gnupg2 or gpgv2 packages. For one thing, the gnupg and gpgv packages are shipping the modern version of GnuPG these days anyway (2.1.x), and the gnupg2 and gpgv2 packages are dummy/transitional packages (with the exception of offering a symlinked name for the binaries in question). For another, i'm not convinced that debian-archive-keyring should Recommend: gnupg at all. I'm not even sure i understand why debian-archive-keyring Depends: gpgv -- the package's goal is to provide the archive keyring to enable OpenPGP validation, but the package itself doesn't appear to require gpgv in any way. Presumably the packages that need to *do* OpenPGP validation will Depend: gpgv (or whatever other OpenPGP validator tool they prefer to use). I recommend moving gpgv to Suggests: and and removing gnupg from the set of dependencies entirely. --dkg signature.asc Description: PGP signature
Bug#801381: debian-archive-keyring: Depend/Recommend gnupg2 and gpgv2?
Package: debian-archive-keyring Version: 2014.3 Severity: wishlist Hello, >From DebConf, I got the imporession that we should start to move to gnupg2, and even if not gnupg2 seems perfectly stable nowadays and having to keep both installed seems unnecessary (I have to use v2 for other reasons). This package depends on and recommends gnupg and gpg, so I think that at least gnupg2 and gpgv2 should be added as an option. Cheers. -- Manuel A. Fernandez Montecelo