[pkg-gnupg-maint] keyboxd by default considered harmful

[Julian Andres Klode]

So,

after a report of gnupg 2.4 breaking some tooling in Ubuntu[1], we
analysed it and found out that if `use-keyboxd` is set, gpg just
silently ignores any keyring arguments, as it only takes public
keys stored in keyboxd.

On new installs, aka. if ~/.gnupg does not exist, gnupg automatically
enables keyboxd by writing `use-keyboxd` to common.conf.

I just patched Ubuntu's GnuPG to not do that, I think this may be
the right call for Debian as well.

This has another effect on the dependencies: We discussed adding
dirmngr and keyboxd to Recommends (arguably gpg-agent too), with
keyboxd not enabled by default, it would go into Suggests. Which
is also what I implemented in Ubuntu:

    gpg{,sm} having
        Recommends: gpg-agent, dirmngr
        Suggests: keyboxd

    added to them

Let me know if this sounds sensible and I'll go update my merge
for the dependencies next week and open one to disable use-keyboxd,
or I can merge that into one merge.

Also I opened a merge to add the a--assert-pubkey-algo feature
from the 2.4 branch; apt 2.7.13 in unstable is using that to
enforce a new repository signing policy if available. Consider
merging it so Debian users can install gnupg from testing and
get safer APTs :)

[1] https://github.com/canonical/cloud-init/issues/4989

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en