[pkg-gnupg-maint] Bug#1064040: Bug#1064040: src:gnupg2: Please remove Recommends: gnupg from all binary packages

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri May 17 16:57:30 BST 2024 

Hi Julian--

On Fri 2024-02-16 10:42:35 +0100, Julian Andres Klode wrote:
> gnupg is a big meta package pulling in all sorts of weird stuff
> people don't want by default on their machine, like a wks server.

I agree with this generally, but upstream seems to generally want all
packages available in a standard installation, and hasn't committed to
clear boundaries about what things will fail when certain subpieces are
missing.  See for example discussion in #873499

The explicit Recommends is trying to encourage behavior that aligns with
upstream's wishes.

> That wks server in experimental now pulls in a mail transport
> agent.

Andreas resolved this by moving gpg-wks-server to a Suggests from a
Recommends.

> 1. gnupg should move to the metapackages section

This is a good idea, i've moved it there in git, and it should be
included in the next upload.

> 2. All Recommends on gnupg should be removed, we don't want that
>    installed by default.
> 3. gpg should Recommends keyboxd and dirmngr as they will frequently be
>    needed when using gpg
>
> And then we should clean up all reverse dependencies to say gpg.

I'm reluctant to do these parts for the above reasons.

> I think I plan to do this in Ubuntu. The alternative would be
> to demote all non-interesting gnupg dependencies to suggests,
> those would be:
>
> - gnupg-utils
> - gpg-wks-server
> - gpgv [stuff will depend on that anyway if it needs it, like apt does]
> - maybe gpg-wks-client

As mentioned above, gpg-wks-server is already in Suggests (thanks,
Andreas!)

I'm moving the remaining three packages from the above list to
Recommends: (instead of Depends:) for the gnupg package.

> This may make the gnupg package *actually useful* rather than
> be a pointless metapackage that nobody actually wants to install.

I don't know how to strike a happy balance between what most users want
(something minimal, to not have to think about OpenPGP at all, and have
it just work silently in the background) and what upstream seems to want
(a complicated interconnected system with lots of subtle
configurability).

            --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20240517/55a4fd46/attachment.sig>

More information about the pkg-gnupg-maint mailing list