Package: python-apt Version: 1.8.4 Severity: normal Hi,
a few months ago, the gnupg package was split into multiple binary packages, gnupg remaining a dependency helper pulling in everything. python-apt (the python 2 version, the python 3 version for some reason does it better) depends on "gnupg", pulling in the entire suite including gnupg-agent, which in turn creates user sockets in /run/user. This raises concerns with some security departments who rightfully question why would somebody use a gnupg-agent on a server. Please consider relaxing the dependency on gnupg, making it only depend on the parts of the gnupg suite that python-apt it actually needs. I do seriously doubt that a dependency on the parts of the suite that handle secret keys and secret keyrings is really needed. Thanks! Greetings Marc
