Re: Bug#387688: Add gnupg as apt dependency in Squeeze to be able to solve #387688 in Squeeze+1?

2010-08-22 Thread Philipp Kern 

On 08/22/2010 12:46 AM, Carsten Hey wrote:

By removing the (currently indirect) apt dependencies on gnupg and
libusb-0.1-4 and making apt depend on gpgv (or gpgv | gpgv-tiny)
instead, 5272 kB could be saved.  There are ways to accomplish this for
Squeeze+1, how it could be done seems to be nothing that needs to be
discussed before Squeeze is released.
   


Please note that, due to how apt currently handles keyrings, you do need 
a full gnupg available to run apt-key.  The use of gpgv is only 
implemented in the installer, as it uses only one keyring file.  An 
alternative might be looping over several keyrings using gpgv, to verify 
the signature, instead of using a large one.  But this wasn't 
implemented yet, of course.


Kind regards,
Philipp Kern


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4c70ecbe.4000...@debian.org

Re: [Pkg-gnupg-maint] Bug#592902: Bug#387688: Add gnupg as apt dependency in Squeeze to be able to solve #387688 in Squeeze+1?

2010-08-22 Thread Thijs Kinkhorst 
On Sun, August 22, 2010 00:46, Carsten Hey wrote:
  * Build a new package gpgv-tiny, configured with --without-readline.

Just wondering here if there would be any need for a regular 'gpgv'
package if 'gpgv-tiny' exists. In other words, we could already build gpgv
separately, without readline, right? I don't know of use cases of gpgv
that somehow involve readline.


Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/286ce0677286c4b08f4c90487a9f64f7.squir...@wm.kinkhorst.nl

Re: Bug#387688: Add gnupg as apt dependency in Squeeze to be able to solve #387688 in Squeeze+1?

2010-08-21 Thread Carsten Hey 
* Philipp Kern [2010-08-15 13:30 +0200]:
 On Fri, Aug 13, 2010 at 01:37:15AM +0200, Carsten Hey wrote:
  currently apt depends on debian-archive-keyring which depends on
  gnupg. It has been proposed to remove the latter dependency in
  #387688, this would save about 5 MB of disk space in a sid
  debootstrap.

 I'm still not sure if I buy this argument.  After all it would leave
 the debootstrap without apt (which is the current default behaviour,
 I know).

In the meantime apt has been added to base packages for debootstrap's
buildd variant.

 How useful is this, really?

My wording was not as clear as it should have been :)  Neither apt's nor
debian-archive-keyring's dependencies influence the size of a Debian
chroot with only essential and build-essential packages installed.

I was talking about a rather minimal Debian installation _with_ apt.
Two examples for such installations are the chroot environments created
by the debootstrap variants minbase and buildd.


Let's look into this in more detail:

Currently the Installed-Size: of apt and its non-Required: yes
dependencies is 12,624 (6,904 + 5,720) kB:

apt   5,244
libstdc++61,204
debian-archive-keyring   60
gpgv396  (required for verifying signatures)
  ¯
needed dependencies   6,904


gnupg 5,176
libusb-0.1-4 96
libreadline6356
readline-common  92
  ¯
superfluous dependencies  5,720

By removing the (currently indirect) apt dependencies on gnupg and
libusb-0.1-4 and making apt depend on gpgv (or gpgv | gpgv-tiny)
instead, 5272 kB could be saved.  There are ways to accomplish this for
Squeeze+1, how it could be done seems to be nothing that needs to be
discussed before Squeeze is released.

To save additional 448 kB by removing the dependency on libreadline (of
course not by default, but only if the user chooses this) there seem to
be two ways:

 * Build a new package gpgv-tiny, configured with --without-readline.
   gpgv-tiny without gnupg-tiny would be pretty useless unless apt and
   debian-archive-keyring remove their gnupg dependency.  If the gnupg
   maintainer decide to build gpgv-tiny, it should IMHO be done after
   apt's gnupg dependency has been removed.

 * Teach gpgv to dlopen() libreadline and use it only if it is available
   (suggested by Florian Weimer in #592902).  Using dlopen would have
   obvious advantages, but this would require adding a patch to the
   Debian package unless it would be accepted upstream.

As explained, the minimal disk usage of apt and its non-essential
dependencies could be dropped easily from currently 12,624 to 6,904 kB.
After Debian's possible future switch to Tdeps it would be 3,119 kB.


There are ways to further reduce the disk usage of a nearly minimal
Debian installation without requiring the user to do the work
her/himself and without negatively influencing a non-minimal
installation.  Reducing disk usage about a half megabyte or two
megabytes is not much, but many small reductions combined lead to
significant less disk usage.

An imaginary debootstrap variant 'tiny' that, e.g., would install
debconf-english instead of debconf-l18n (this saves 1,516 kB) and
gpgv-tiny instead of gpgv, that would not need to install gnupg and so
on, could create such a minimal installation plus apt.  This combined
with the biggest saving of disk usage, having tdebs in Debian and not
installing them, would lead to a rather small but usable Debian chroot.


 What's the use case?

The obvious use cases are:

  * Installation on systems where disk space is limited.

  * People with slow or traffic limited internet connections would be
happy to save traffic when they create a build chroot or similar.

Being able to create small but usable Debian chroots could also lead to
less obvious use cases being more reasonable than they are now.  One
possible example is creating an unstable chroot just to run a single
program not available in stable.


 (Still your other remarks look sane, and AFAIK a dependency on gnupg
 has been committed into apt.)

Yes, the dependency is already in experimental.


Regards
Carsten


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100821224613.ga28...@foghorn.stateful.de

Re: Bug#387688: Add gnupg as apt dependency in Squeeze to be able to solve #387688 in Squeeze+1?

2010-08-15 Thread Bernhard R. Link 
* Philipp Kern pk...@debian.org [100815 13:31]:
 On Fri, Aug 13, 2010 at 01:37:15AM +0200, Carsten Hey wrote:
  currently apt depends on debian-archive-keyring which depends on gnupg.
  It has been proposed to remove the latter dependency in #387688, this
  would save about 5 MB of disk space in a sid debootstrap.
 
 I'm still not sure if I buy this argument.  After all it would leave the
 debootstrap without apt (which is the current default behaviour, I know).
 How useful is this, really?  I know that apt is not strictly necessary, as you
 can get all deps installed by debootstrap as well, but you cannot even pull in
 updates.  What's the use case?

You can use the apt on the host system to upgrade the packages in the
chroot.

On slow systems having less stuff to install for a chroot makes
chroot creation significantly faster[1], on fast systems chroots there
is not much use in reusing chroots anyway, so being able to check more
missing dependencies is an advantage while not being able to update
chroots no big disadvantage.

Bernhard R. Link

[1] Though our current handling of essential bloats chroots quite a bit.


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20100815114503.ga19...@pcpool00.mathematik.uni-freiburg.de