[pkg-gnupg-maint] Bug#872368: gpgme: please adjust libgpgme11 dependency on gnupg package

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Nov 29 22:56:57 UTC 2017 

Hi Pierre--

Thanks for continuing to engage constructively on this.

The GnuPG packaging split that happened in 2.1.21-4 (and the subsequent
packages added to support things like WKS) does indeed cause more things
to be pulled in by the explicit dependency on the "gnupg" package than
used to be the case.

On Wed 2017-11-29 21:48:01 +0100, Pierre Ynard wrote:
> how about the reason that it violates the Debian policy?? I've brought
> it up several times in this thread already, and nobody has denied it.

iiuc, your contention about debian policy is:

>> The policy states that hard dependencies are for when they're needed
>> to provide a significant amount of functionality. mutt provides
>> plenty of functionality already without the option to GPG-sign emails
>> and even without checking email signatures. So from that point of
>> view, it hardly seems appropriate that mutt pulls unconditionally the
>> whole GnuPG suite.

But please consider that policy governs immediate dependencies.  That
is, it's not abouve whether *mutt* provides significant functionality
without GnuPG.  It's about whether *libgpgme* provides significant
functionality.

libgpgme provides *no functionality* whatsoever if gpg is not installed.

Without gpg-agent or dirmngr, libgpgme cannot provide secret key
operations, which is clearly a "significant amount of functionality".

Do you really think it's a violation of debian policy that gpgme
explicitly Depends on the full gnupg suite?

> Regardless, once again, I've made several suggestions that would leave
> them installed by default like you mentioned. Nobody has denied that it
> would be a positive solution for everybody.

Would the following change satisfy your concerns?  Would you be willing
to look out for (and help respond to) any bug reports that debian
receives about users of gpgme (including, but not limited to, mutt
users) who can no longer use their secret keys as expected?


diff --git a/debian/control b/debian/control
index f99a7401..429d2d9e 100644
--- a/debian/control
+++ b/debian/control
@@ -55,17 +55,20 @@ Description: GPGME - GnuPG Made Easy (development files)
 Package: libgpgme11
 Architecture: any
 Multi-Arch: same
 Pre-Depends:
  ${misc:Pre-Depends},
 Depends:
- gnupg (>> 2) | gnupg2 (>> 2.0.4),
+ gnupg (>= 2.1.21-4) | gpg,
  ${misc:Depends},
  ${shlibs:Depends},
-Suggests:
- gpgsm (>> 1.9.6),
+Recommends:
+ dirmngr,
+ gpg-agent,
+ gpg-wks-client,
+ gpgsm,
 Description: GPGME - GnuPG Made Easy (library)
  GPGME is a wrapper library which provides a C API to access some of the
  GnuPG functions, such as encrypt, decrypt, sign, verify, ...
  .
  This package contains the library.
  
Note that this will make backporting of libgpgme to older distributions
more difficult.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20171129/65a2a628/attachment.sig>

More information about the pkg-gnupg-maint mailing list