[pkg-gnupg-maint] Bug#1091200: override: gpgv:utils/optional

Julian Andres Klode jak at debian.org
Sat Jan 4 21:03:52 GMT 2025 

On Sat, Jan 04, 2025 at 06:03:11PM +0000, Sean Whitton wrote:
> Hello,
> 
> On Sat 04 Jan 2025 at 01:27pm +01, Andreas Metzler wrote:
> 
> > On 2025-01-04 Sean Whitton <spwhitton at spwhitton.name> wrote:
> >> On Mon 23 Dec 2024 at 01:17pm +01, Julian Andres Klode wrote:
> > [...]
> >>> The gpgv tool is no longer used by apt as of the 2.9.19 upload.
> >>> It is the only thing left pulling in libgcrypt and whole bunch
> >>> of GnuPG packages into a standard debootstrap.
> >
> >>> I suggest demoting it to optional. I do not believe use of gpgv
> >>> by users is super wide-spread that it warrants standard priority.
> >
> >> Generally it is helpful in bootstrapping situations to verify, e.g.,
> >> checksums for ISOs, and the like.
> >
> >> What do the gpg maintainers think?
> >
> > Hello,
> >
> > checking an installation medium's signature would happen
> > before/instead of debootstrap so I do not see how that is relevant for
> > keeping gpgv standard. In the longer term I hope to see a move to using
> > a stateless interface for verification.
> >
> > Active gnupg users will install the gnupg metapackage which recommends
> > gpgv so it will be installed anyway.
> >
> > I fail to see why gpgv's priority cannot be demoted.
> 
> Thanks for the feedback.
> 
> The sort of situation I had in mind was where you have a Debian system
> and not much else and you are trying to bootstrap to more; having gpgv
> available can be helpful.

But in all practical cases, you can just run

    sqv --keyring keyring SIGNATURE FILE

instead of 

    gpgv --keyring keyring SIGNATURE FILE

We're only missing clear-signed signature support in sqv right now,
we're hopeful to get that too, and then the prefered UX may be

    sqv --keyring keyring --signature-file SIGNATURE FILE

    sqv --keyring keyring --cleartext FILE

I've been working on adding that in, my main trouble has been keeping
the existing command-line working too (FILE SIGNATURE instead of
--signature-file SIGNATURE FILE) :D

Or I should not say "working", because it works easily, but actually
having clap, the command-line parser library render a useful usage
string :D

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20250104/a4536f55/attachment-0001.sig>

More information about the pkg-gnupg-maint mailing list