[pkg-gnupg-maint] Bug#853102: Bug#853102: libgpgme11: downgrade gnupg2 (gnupg) dependency to Recommends:

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Feb 4 04:18:31 UTC 2017 

Hi Ivan--

On Sun 2017-01-29 13:57:19 -0500, Ivan Shmakov wrote:
> 	[Apologies for not actually checking if the problem described is
> 	relevant to Debian testing.]

i'm not sure which exact problem is the one you think is most important,
but if this is it:

> 	Long story short, I’ve recently tried to install Mutt on a
> 	“headless,” tty-over-SSH-only server.  To my surprise, APT found
> 	that it depends on libgtk2.0-0!  Thankfully, no, Mutt wasn’t
> 	upgraded to provide a GUI; the problem was in the
> 	‘pinentry-gtk2’ package – which is required by gnupg-agent,
> 	which is in turn required by gnupg2, and thus libgpgme11.
> 	(JFTR, I’m aware of pinentry-curses.)

then you'll be glad to know that the depenencies in debian testing are
such that pinentry-curses is the only thing that would be installed
automatically on a headless server.  I think that's a reasonable
tradeoff.

Note that even on jessie, if you do:

    apt install pinentry-curses
    apt install mutt

then you dont' get the heavyweight libgtk dependency chain.

> 	To make things weirder, Mutt doesn’t even /use/ GPGME in its
> 	default settings (whether upstream or Debian; see below); but of
> 	course being built with such support, the binary (or, rather,
> 	ld.so) requires the library to run.

i believe (and hope!) that newer versions of mutt will use gpgme by
default.

> 	And indeed, providing an otherwise empty, “fake” gnupg2 package
> 	[1] made it possible to install and use Mutt with no obvious ill
> 	effects (using [2] as the test file.)  For instance:

this seems like a lot of work, compared to just manually installing
pinentry-curses before installing mutt, no?

> 	From the above, I conclude that ‘gnupg2’ is not strictly
> 	necessary to run Mutt (and presumably other packages built with
> 	GPGME support), and thus per [3] (quoted below) should be
> 	requested with Recommends: rather than Depends:.

you're doing pretty heavy surgery on these tools in order to reach a
"graceful" failure state.  If you're ok doing that surgery, then i'm ok
with you getting to deal with the aftereffects ;)

As a maintainer, though, i'd really rather have the defaults Just Work.
I agree with you that the default dependency chain in Jessie is too
heavy (see https://bugs.debian.org/764292), but it's rather complicated
to switch that around in jessie today.  It will be better in stretch. :)

> 	This issue is perhaps less relevant to Debian testing, as there
> 	GnuPG 2 finally replaced GnuPG 1.  Still, it’s possible to rely
> 	on the ‘gpgv’ package for OpenPGP signature validation (just as
> 	‘apt’ does), and avoid the use of the full-weight ‘gnupg’
> 	package.

I don't think that's technically correct, for either mutt or for
libgpgme.  gpgv is a specially-targeted tool, which expects a
well-curated keyring and does not do any certificate validation or
management.  If there's a way that people are trying to use gpgv with
mutt, i'd like to hear about it though!

I'm going ahead and closing this bug because i think the underlying
request has already been addressed quite some time ago in testing (see
#764292, as mentioned above), but feel free to keep chatting here or on
pkg-gnupg-maint at lists.alioth.debian.org if you want to follow up.

Thanks for the report,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170203/f09bba5b/attachment.sig>

More information about the pkg-gnupg-maint mailing list