[pkg-gnupg-maint] transitioning to GnuPG 2.1 in debian

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Apr 14 01:05:59 UTC 2015

Hi Debian GnuPG packagers--

As jessie releases, I wanted get more discussion going about the
possibile transition of debian to the GnuPG 2.1 branch as the default
for /usr/bin/gpg.

This is likely to take a long time; jessie is about to release, and it
will have 1.4.x and 2.0.x available, and we will need to support it.

But in the long term, we ought to be providing our users with the more
modern implementation by default (esp. as ECC comes online for other
users) and we should help upstream reduce the cognitive load by trying
to minimize the number of versions that need attention.

I've written up the briefest of sketches for some possible ways to do a
transition here:


And i'm including it below as well.

Any objections or complaints about the possibility of considering this
kind of a change?

Any suggestions or thoughts about the best way forward?

I figure whatever we do we're likely to prep it in experimental and then
drop it into unstable once jessie releases, but i'd like to get a plan
on the table that people have thought about.

Any thoughts?


= Transitioning to GnuPG 2.1 within Debian =

This is currently brainstorming, not a hard plan.

Rationale: we should eventually move from GnuPG 1.4.x to the modern
version of GnuPG (2.1 branch) as the default in Debian.  This should
provide our users with Elliptic curve crypto, a proper cryptographic
agent, better-indexed keybox format, and daemonized keyserver support
(which copes better with transient pool outages).

Several different possible approaches (these could be combined):

== /etc/alternatives ==

 * make gnupg packages provide /usr/bin/gpg1 and gpgv1, etc, and point to them with /etc/alternatives
 * make gnupg2 packages conflict with earlier versions of gnupg, and provide the alternatives themselves
 * set the preferences such that gnupg2 is preferred

== hard cutover ==

 * the gnupg2 source package could take over the gnupg binary packages

 * gnupg could start providing gnupg1 binary packages

== metapackage ==

introduce a metapackage that depends on gnupg2 | gnupg1

= Concerns =

here are some things that the gnupg1 packaging currently provides that we ought to be providing in the gnupg2 packages:

 * udev rules for smartcards
 * udebs for d-i
 * win32 gpgv

= Open Questions =

 * How long will we need to support the 1.4 branch for?
 * What risks does gnupg 2.1 have for the long term?
 * is it OK to drop the 2.0.x branch entirely?
 * What is the time frame for this change?  (can we complete the transition in stretch?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20150413/6becdf82/attachment.sig>

More information about the pkg-gnupg-maint mailing list