gpgv udebs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Aug 11 23:51:35 UTC 2015


hi debian installer folks--

this message is not urgent, just a heads-up to the debian installer
folks (and the pkg-gnutls folks, since libksba comes up later) from a
gnupg maintainer.  (i don't think i'm subscribed to debian-boot, please
keep me cc'ed!)

i believe the installer relies on gpgv for archive manifest signature
verification.  we have gpgv-udeb for that purpose, i think.

It's likely that at some point (i'm hoping before stretch) we'll want to
move most of our GnuPG reliance to the 2.1 branch, since that will allow
us to take advantage of stronger, smaller, faster cryptography and will
also help to keep our tools aligned with where upstream's main
development focus is.

As a result, i'd like to consider moving the gpgv udeb over to the
gnupg2 package sometime soon.

gpgv2 has more dependencies than gpgv, though:

gpgv2 Depends: libbz2-1.0, libc6 (>= 2.14), libgcrypt20 (>= 1.6.1), libgpg-error0 (>= 1.14), libksba8 (>= 1.2.0), zlib1g (>= 1:1.1.4)

 gpgv Depends: libbz2-1.0, libc6 (>= 2.14), zlib1g (>= 1:1.1.4)

so we're talking about adding three dependencies as udebs:

  libgcrypt20, libgpg-error0, libksba8

Of these three dependencies:

 * gpg-error is simple/small/trivial: i don't think it's particularly
   objectionable, and there's already a udeb for it.

 * libgcrypt is the actively-developed crypto library that the we want
   to rely on instead what's effectively an embedded stripped-down copy
   in gpgv, so i think this is an actively good dependency to add.
   libgcrypt also already has a udeb.

 * libksba8 is the X.509 and CMS support library used by GnuPG.  we
   probably don't strictly need this for the installer (our archive
   signatures use OpenPGP signatures and not CMS).  I can work on a
   stripped-down build of gpgv2 that doesn't have this dependency if we
   think that would be useful for minimizing the installer.
   Alternately, I can work with pkg-gnutls to add a udeb for libksba
   (we've already discussed the possibility of transferring the libksba
   from pkg-gnutls to pkg-gnupg)

let me know if you have any concerns, preferences, or questions about
this work, and if you have specific time windows that it would be good
to aim for.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20150811/c7baf056/attachment.sig>


More information about the Pkg-gnutls-maint mailing list