Re: Replacing/phasing out PGP (was Re: Idea for non-free organization)
jdassen@wi.leidenuniv.nl writes:
> How difficult would it be to extend our infrastructure (new maintainer
> acceptance; developer-keyring; dpkg-dev) with support for gpg?
The debian-keyring package (to be uploaded RSN (honest)) contains a
debian-keyring.gpg. If you want to generate a GNUpg key and send it
to gpg-update@debian.org, it'll be added.
New maintainer is not a problem; as soon as GNUpg is in place, we'll
just insist maintainers use it (as opposed to insisting they use
non-free software).
dpkg-dev and dinstall are the only things that need to be fixed.
dinstall is trivial, it just has to handle gnupg signed packages.
dpkg-dev is more complex; does gnupg become the default signing method
in unstable? If so we should change the pgp-command in
dpkg-buildpackage to default to gpg.
But this will bite lots of current maintainers who try to build
packages and get flummoxed when build/dpkg-buildpackage starts moaning
"gpg command not found" and they then have to be told to do -ppgp. If
pgp stays as default we have to tell all new maintainers to use -pgpg
because their PGP keys won't be in the Debian keyring. It's not a
nice situation, and I would like to hear what others think.
Either way, I seriously detest the use of the non-free PGP in Debian,
it's rank hypocrisy and it has already lost us at least one new
maintainer, and I think now that we have GNUpg it would be
unbelievably Wrong not to use it in place of PGP. IMO, either by
slink (if we go to FHS in slink [i.e. every package has to be
reuploaded anyway]) or in 2.2/whatever, you should be able to verify a
Debian package without using the non-free PGP. This means forcing all
developers to generate gnupg keys; I don't personally see this as
problem (again, it's a case of forcing free software onto developers,
so we don't have to force non-free software onto our users and new
developers), but I suspect some people will.
--
James
~Yawn And Walk North~ http://yawn.nocrew.org/
--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: