Re: Replacing/phasing out PGP (was Re: Idea for non-free organization)

To: debian-policy@lists.debian.org
Subject: Re: Replacing/phasing out PGP (was Re: Idea for non-free organization)
From: James Troup <james@nocrew.org>
Date: 01 Jul 1998 17:07:38 +0100
Message-id: <[🔎] dmmg1gl8shh.fsf@dcsun4.comp.brad.ac.uk>
In-reply-to: jdassen@wi.leidenuniv.nl's message of "Wed, 1 Jul 1998 11:09:42 +0200"
References: <19980630183118.A13326@mercury.oz.net> <[🔎] Pine.LNX.3.96.980701033227.12809A-100000@ns1.greenbush.com> <[🔎] 19980701110942.58843@wi.leidenuniv.nl>

jdassen@wi.leidenuniv.nl writes:

> How difficult would it be to extend our infrastructure (new maintainer
> acceptance; developer-keyring; dpkg-dev) with support for gpg?

The debian-keyring package (to be uploaded RSN (honest)) contains a
debian-keyring.gpg.  If you want to generate a GNUpg key and send it
to gpg-update@debian.org, it'll be added.

New maintainer is not a problem; as soon as GNUpg is in place, we'll
just insist maintainers use it (as opposed to insisting they use
non-free software).

dpkg-dev and dinstall are the only things that need to be fixed.
dinstall is trivial, it just has to handle gnupg signed packages.
dpkg-dev is more complex; does gnupg become the default signing method
in unstable?  If so we should change the pgp-command in
dpkg-buildpackage to default to gpg.

But this will bite lots of current maintainers who try to build
packages and get flummoxed when build/dpkg-buildpackage starts moaning
"gpg command not found" and they then have to be told to do -ppgp.  If
pgp stays as default we have to tell all new maintainers to use -pgpg
because their PGP keys won't be in the Debian keyring.  It's not a
nice situation, and I would like to hear what others think.

Either way, I seriously detest the use of the non-free PGP in Debian,
it's rank hypocrisy and it has already lost us at least one new
maintainer, and I think now that we have GNUpg it would be
unbelievably Wrong not to use it in place of PGP.  IMO, either by
slink (if we go to FHS in slink [i.e. every package has to be
reuploaded anyway]) or in 2.2/whatever, you should be able to verify a
Debian package without using the non-free PGP.  This means forcing all
developers to generate gnupg keys; I don't personally see this as
problem (again, it's a case of forcing free software onto developers,
so we don't have to force non-free software onto our users and new
developers), but I suspect some people will.

-- 
James
~Yawn And Walk North~                                  http://yawn.nocrew.org/

--  
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Replacing/phasing out PGP (was Re: Idea for non-free organization)
  - From: Rob Browning <rlb@cs.utexas.edu>
- Re: Replacing/phasing out PGP (was Re: Idea for non-free organization)
  - From: <paulwade@greenbush.com>
- Re: Replacing/phasing out PGP (was Re: Idea for non-free organization)
  - From: Manoj Srivastava <srivasta@datasync.com>
- Re: Replacing/phasing out PGP (was Re: Idea for non-free organization)
  - From: James Troup <james@nocrew.org>

References:
- Re: Idea for non-free organization
  - From: <paulwade@greenbush.com>
- Replacing/phasing out PGP (was Re: Idea for non-free organization)
  - From: jdassen@wi.leidenuniv.nl

Prev by Date: Replacing/phasing out PGP (was Re: Idea for non-free organization)
Next by Date: Re: Bug#23000: no way to force deliver over procmail
Previous by thread: Replacing/phasing out PGP (was Re: Idea for non-free organization)
Next by thread: Re: Replacing/phasing out PGP (was Re: Idea for non-free organization)
Index(es):
- Date
- Thread