Hi Ivan-- On Sun 2017-01-29 13:57:19 -0500, Ivan Shmakov wrote: > [Apologies for not actually checking if the problem described is > relevant to Debian testing.]
i'm not sure which exact problem is the one you think is most important, but if this is it: > Long story short, I’ve recently tried to install Mutt on a > “headless,” tty-over-SSH-only server. To my surprise, APT found > that it depends on libgtk2.0-0! Thankfully, no, Mutt wasn’t > upgraded to provide a GUI; the problem was in the > ‘pinentry-gtk2’ package – which is required by gnupg-agent, > which is in turn required by gnupg2, and thus libgpgme11. > (JFTR, I’m aware of pinentry-curses.) then you'll be glad to know that the depenencies in debian testing are such that pinentry-curses is the only thing that would be installed automatically on a headless server. I think that's a reasonable tradeoff. Note that even on jessie, if you do: apt install pinentry-curses apt install mutt then you dont' get the heavyweight libgtk dependency chain. > To make things weirder, Mutt doesn’t even /use/ GPGME in its > default settings (whether upstream or Debian; see below); but of > course being built with such support, the binary (or, rather, > ld.so) requires the library to run. i believe (and hope!) that newer versions of mutt will use gpgme by default. > And indeed, providing an otherwise empty, “fake” gnupg2 package > [1] made it possible to install and use Mutt with no obvious ill > effects (using [2] as the test file.) For instance: this seems like a lot of work, compared to just manually installing pinentry-curses before installing mutt, no? > From the above, I conclude that ‘gnupg2’ is not strictly > necessary to run Mutt (and presumably other packages built with > GPGME support), and thus per [3] (quoted below) should be > requested with Recommends: rather than Depends:. you're doing pretty heavy surgery on these tools in order to reach a "graceful" failure state. If you're ok doing that surgery, then i'm ok with you getting to deal with the aftereffects ;) As a maintainer, though, i'd really rather have the defaults Just Work. I agree with you that the default dependency chain in Jessie is too heavy (see https://bugs.debian.org/764292), but it's rather complicated to switch that around in jessie today. It will be better in stretch. :) > This issue is perhaps less relevant to Debian testing, as there > GnuPG 2 finally replaced GnuPG 1. Still, it’s possible to rely > on the ‘gpgv’ package for OpenPGP signature validation (just as > ‘apt’ does), and avoid the use of the full-weight ‘gnupg’ > package. I don't think that's technically correct, for either mutt or for libgpgme. gpgv is a specially-targeted tool, which expects a well-curated keyring and does not do any certificate validation or management. If there's a way that people are trying to use gpgv with mutt, i'd like to hear about it though! I'm going ahead and closing this bug because i think the underlying request has already been addressed quite some time ago in testing (see #764292, as mentioned above), but feel free to keep chatting here or on pkg-gnupg-ma...@lists.alioth.debian.org if you want to follow up. Thanks for the report, --dkg
signature.asc
Description: PGP signature