[pkg-gnupg-maint] Bug#853102: libgpgme11: downgrade gnupg2 (gnupg) dependency to Recommends:

Ivan Shmakov ivan at siamics.net
Sun Jan 29 18:57:19 UTC 2017 

Package:  libgpgme11
Version:  1.5.1-6
Severity: minor

	[Apologies for not actually checking if the problem described is
	relevant to Debian testing.]

Package: libgpgme11
[…]
Depends: gnupg2 (>> 2.0.4), […]

	I believe that libgpgme11 should NOT depend on gnupg2 – in the
	same way that, say, libcurl3 does not depend on Apache, nor does
	libpq5 depend on the PostgreSQL server package.

	Assuming that packages depending on libgpgme11 do so
	in order to provide GPGME /as an option/ (and to satisfy the
	respective run-time ld.so dependency; as it appears to be in the
	case of Mutt; see below), I suggest downgrading the dependency
	to Recommends: (with Conflicts: also added if necessary.)

	Long story short, I’ve recently tried to install Mutt on a
	“headless,” tty-over-SSH-only server.  To my surprise, APT found
	that it depends on libgtk2.0-0!  Thankfully, no, Mutt wasn’t
	upgraded to provide a GUI; the problem was in the
	‘pinentry-gtk2’ package – which is required by gnupg-agent,
	which is in turn required by gnupg2, and thus libgpgme11.
	(JFTR, I’m aware of pinentry-curses.)

	To make things weirder, Mutt doesn’t even /use/ GPGME in its
	default settings (whether upstream or Debian; see below); but of
	course being built with such support, the binary (or, rather,
	ld.so) requires the library to run.

	To quote /usr/share/doc/mutt/manual.txt.gz:

3.44. crypt_use_gpgme

Type: boolean
Default: no

This variable controls the use of the GPGME-enabled crypto backends.  If it
is set and Mutt was built with gpgme support, the gpgme code for S/MIME and
PGP will be used instead of the classic code.  Note that you need to set
this option in .muttrc; it won’t have any effect when used interactively.

	And indeed, providing an otherwise empty, “fake” gnupg2 package
	[1] made it possible to install and use Mutt with no obvious ill
	effects (using [2] as the test file.)  For instance:

	• by default, ‘gpg’ command is used (per /etc/Muttrc.d/gpg.rc)
	  directly for signature checking; no GPGME calls are
	  (presumably) performed, hence little (if any) chance that the
	  ‘gnupg2’ absence may affect Mutt operation in any way;

	• when run with -e "set crypt_use_gpgme = yes", Mutt calls
	  GPGME, which appears to call the ‘gpg’ command in turn –
	  the one provided by the ‘gnupg’ (1.5.1-6) package in my case;

	• finally, prepending also to PATH a directory containing ‘gpg’
	  and ‘gpgconf’ symlinks to /bin/false makes Mutt fail
	  gracefully when trying to verify OpenPGP signatures in the
	  messages.

	From the above, I conclude that ‘gnupg2’ is not strictly
	necessary to run Mutt (and presumably other packages built with
	GPGME support), and thus per [3] (quoted below) should be
	requested with Recommends: rather than Depends:.

	This issue is perhaps less relevant to Debian testing, as there
	GnuPG 2 finally replaced GnuPG 1.  Still, it’s possible to rely
	on the ‘gpgv’ package for OpenPGP signature validation (just as
	‘apt’ does), and avoid the use of the full-weight ‘gnupg’
	package.  So, I would suggest using Recommends: for the
	dependency there too.

[1] http://am-1.org/~ivan/dist/gnupg2_2.0.26-6+deb8u1_all.deb
    SHA-256: 228ea1789f17e3a0fb81496327f76f1c95e740710dd147b005b5e8077aab1682
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=430213;mbox=yes;mboxmaint=yes
[3] http://debian.org/doc/debian-policy/ch-relationships.html#s-binarydeps

    Depends

[…]

	The Depends field should be used if the depended-on package is
	required for the depending package to provide a significant
	amount of functionality.

[…]

   Recommends

	This declares a strong, but not absolute, dependency.

	The Recommends field should list packages that would be found
	together with this one in all but unusual installations.

-- 
FSF associate member #7257
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170129/c002d497/attachment.sig>

More information about the pkg-gnupg-maint mailing list