[pkg-gnupg-maint] Bug#872368: gpgme: please adjust libgpgme11 dependency on gnupg package

Pierre Ynard linkfanel at yahoo.fr
Mon Nov 27 12:54:06 UTC 2017 

Hello,

> > Many mutt users do not do any secret key operation. I think those
> > who do need to create or setup a private key first - and probably
>
> To foster the use of end to end encryption we should get away from the
> need to install plugins. Encryption should be a core functionality of
> all MUAs and not something optional.

I understand your point, and your drive for security is great. However
to foster the use of free software we should get away from forcing users
to install unwanted software. Due to the current circumstances, I refuse
to proceed to any gnupg upgrade that would force on me all these new
packages and services that I don't need. How does that make you feel?

Saying that "to foster X, we should have Y installed by default" is not
a sufficient argument on its own because that can be said for about
anything. And regardless, that's not what the Debian policy says about
package dependencies. I'm not going to argue with your opinion about
what GnuPG's place in email should become; because that's not the
criterion for hard dependencies. If this was about web browsers, you
could rightly point out that without HTTPS support, much of the web and
most mainstream websites would be inaccessible, severely questioning the
usability of the browser without it. However for email, this is just not
the case at all.

Regarding what I said about the manual setup step: if you want to foster
and implement the core role of encryption in email, then I would suggest
to go all the way with an out-of-the-box experience and set up automatic
private key creation on package configuration or first launch; because
without that, the dependencies that were pulled in effectively remain
dead code - which proves that they aren't really dependencies, and
leaves them as unused bloat.

You will note that I am not even at odds with you on the default
availability of these tools: I made several suggestions such as
"Recommends: gnupg" or "Depends: gnupg | gpg" that would still have
them installed and fully available; it would just honor the policy and
restore the freedom to uninstall them to users who don't want or need
them.

Best regards,

-- 
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."

More information about the pkg-gnupg-maint mailing list