[pkg-gnupg-maint] GnuPG package split and interlocking dependencies [was: Re: Bug#873499: Should depend on "gnupg | gnupg2 | gpg"]

Yuri D'Elia wavexx at thregr.org
Mon Sep 11 18:03:22 UTC 2017 

On Mon, Sep 11 2017, Daniel Kahn Gillmor wrote:
>> I'd recommend gpg-agent, and suggest gnupg instead.
>
> why?  upstream recommends shipping all the binaries in a single package
> as the standard deployment.  I'm trying to meet them halfway here.
<...>
> I'm willing to keep the split in debian to support narrowly-scoped, tiny
> systems administered by technically-competent people.  But we've got
> enough issues to focus on without encouraging full-blown desktop systems
> that have gpg fail because of missing dependenencies, which is what i
> think would happen if we moved the rest of the suite out of Recommends.
> Do you think that wouldn't happen?

There's one intricate example which I think would be useful for
discussion: what should libgpgme11 do? It currently depends on gnupg,
which installs the full suite. But that's a result of the old package
structure.

I would (personally) make libgpgpme11 depend on gpg only, and move the
burden of the final call to the actual tool facing the user. For
example, notmuch, which uses libgmime which in turn uses libgpgme11 does
that correctly by recommending the agent and gpgsm.

But I do see your point. It's an added burden on the maintainer.

> Thanks for the suggested text.  Can you explain why the package
> Description: should call out secret key use separately from, say,
> network access, or other modules of the suite?

My reasoning is that gpg is supposed to do encryption/decryption and
signing, and if you can't decrypt or sign because you don't have the
agent you're probably wondering what can you actually do with it.

I still see certificate management and network support as extra.

> they most certainly do -- for just one example, in a batch script where
> gpg is invoked a number of times, the long-running dirmngr process can
> cache knowledge about the network between invocations of gpg.

I guess this could happen.

This probably stems for my own usage of gpg itself, which doesn't
involve any network usage on the gpg part.

More information about the pkg-gnupg-maint mailing list