Add gnupg as apt dependency in Squeeze to be able to solve #387688 in Squeeze+1?
Hi,
currently apt depends on debian-archive-keyring which depends on gnupg.
It has been proposed to remove the latter dependency in #387688, this
would save about 5 MB of disk space in a sid debootstrap.
I don't see how this bug could be fixed in debian-archive-keyring but
think it should be fixed in apt instead. Anyhow, if a user would
upgrade to debian-archive-keyring/Squeeze+1 without the gnupg dependency
and still have apt/Squeeze installed during a partial upgrade, he or she
could end up with a system that has no gpgv installed. There are some
quite hackish ways involving versioned dependencies and/or conflicts to
ensure a clean upgrade path if this bug will be fixed in Squeeze+1, the
most clean one seems to me to make apt/Squeeze explicitly depend on
gnupg.
Thus I propose to make apt's implicit dependeny on gnupg explicit to be
able to fix #387688 for Squeeze+1 and still provide a clean upgrade path
from Squeeze.
Would an apt upload with the following diff (plus changelog entry) get
a freeze exception? If so, I'd like to ask the apt maintainers if they
are willing to do such an upload.
--- a/debian/control
+++ b/debian/control
@@ -12,7 +12,7 @@ Vcs-Bzr: http://bzr.debian.org/apt/debian-sid/
Package: apt
Architecture: any
-Depends: ${shlibs:Depends}, debian-archive-keyring, ${misc:Depends}
+Depends: ${shlibs:Depends}, debian-archive-keyring, gnupg, ${misc:Depends}
Replaces: manpages-pl (<< 20060617-3~)
Provides: ${libapt-pkg:provides}
Conflicts: python-apt (<< 0.7.93.2~)
Thanks for considering
Carsten
P.S.: Of course, updating local keyrings (which is what apt-key update
does) can't be done by a signature verification tool, so simply
telling apt-key to use gpgv instead of gpg would not work.
Reply to: