Package: apt Version: 0.7.9 Severity: normal Tags: patch apt depends on debian-archive-keyring, but it doesn't really need it, since /usr/share/apt/debian-archive.gpg is already part of the apt package.
In turn, debian-archive-keyring depends on gnupg, which is only needed to make apt-key useful. But apt-key doesn't provide essential functionality in apt, since the debian archive key is already loaded. For performing the actual verification, gpgv should be enough. See attached patch (also corrects a minor mistake in a gpgv method error message). -- System Information: Debian Release: lenny/sid APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-amd64 Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8) Versions of packages apt depends on: ii debian-archive-keyring 2007.07.31~etch1 GnuPG archive keys of the Debian a ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries ii libgcc1 1:4.1.1-21 GCC support library ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3 apt recommends no packages. -- no debconf information
diff -urp apt-0.7.9.old/debian/control apt-0.7.9/debian/control --- apt-0.7.9.old/debian/control 2007-07-31 01:26:07.000000000 +0200 +++ apt-0.7.9/debian/control 2007-11-24 10:28:12.000000000 +0100 @@ -10,11 +10,11 @@ XS-Vcs-Bzr: http://bzr.debian.org/apt/de Package: apt Architecture: any -Depends: ${shlibs:Depends}, debian-archive-keyring +Depends: ${shlibs:Depends}, gpgv Priority: important Replaces: libapt-pkg-doc (<< 0.3.7), libapt-pkg-dev (<< 0.3.7) Provides: ${libapt-pkg:provides} -Suggests: aptitude | synaptic | gnome-apt | wajig, dpkg-dev, apt-doc, bzip2, lzma +Suggests: aptitude | synaptic | gnome-apt | wajig, dpkg-dev, apt-doc, bzip2, lzma, debian-archive-keyring Section: admin Description: Advanced front-end for dpkg This is Debian's next generation front-end for the dpkg package manager. diff -urp apt-0.7.9.old/methods/gpgv.cc apt-0.7.9/methods/gpgv.cc --- apt-0.7.9.old/methods/gpgv.cc 2007-10-02 14:34:38.000000000 +0200 +++ apt-0.7.9/methods/gpgv.cc 2007-11-24 10:26:15.000000000 +0100 @@ -210,7 +210,7 @@ string GPGVMethod::VerifyGetSigners(cons } else if (WEXITSTATUS(status) == 111) { - ioprintf(ret, _("Could not execute '%s' to verify signature (is gnupg installed?)"), gpgvpath.c_str()); + ioprintf(ret, _("Could not execute '%s' to verify signature (is gpgv installed?)"), gpgvpath.c_str()); return ret.str(); } else