[pkg-gnupg-maint] Bug#620064: apt: please drop dependency on gnupg

David Kalnischkies david at kalnischkies.de
Fri Jul 1 16:40:16 UTC 2016

Version: 1.3~exp1

On Fri, Jul 01, 2016 at 10:39:05AM -0400, Daniel Kahn Gillmor wrote:
> On Tue 2011-03-29 12:32:37 -0400, Carsten Hey wrote:
> > please drop apt's dependency on gnupg.
> We've talked about this in a few different contexts: it would be great
> to have apt Depend: strictly on gpgv instead of the full gnupg
> package.

Slightly ahead of you: I actually moved it to Recommends for the upcoming 1.3
release already. That version also complains about the reason why it is a
Recommends for now: apt-key being called from maintainer scripts to add/remove
keys. That is discouraged for years by now, but for now we have remains in
Debian itself (e.g. #390449, but that seems to be solved some way or another
eventually) and at least a bunch of third-party packages (I was told).
Given that there still exists things which use 'add' there is still a need
for 'del', so assuming all the bad guys are fixed in stretch, buster will
have an apt just suggesting gnupg…

In my book apt-key has very very limited real uses¹ compared to the heap of
things it is used for but shouldn't be anymore (like adding keys) – and
triggered by this (and the other bugreport) I am working on making that
a bit more obvious with more runtime warnings and manpage disclaimers now…

I somehow doubt this is going to help much (based on how the insecure
repository thing moved over the years and that was a lot more visible)
but at least we can point to ignored warning then.

Best regards

David Kalnischkies

¹ ironically, I think list (aka finger) is 99% of the valid uses
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160701/0ced4708/attachment.sig>

More information about the pkg-gnupg-maint mailing list