Bug#452640: unnecessarily drags in debian-archive-keyring and gnupg
Package: apt
Version: 0.7.9
Severity: normal
Tags: patch
apt depends on debian-archive-keyring, but it doesn't really need it, since
/usr/share/apt/debian-archive.gpg is already part of the apt package.
In turn, debian-archive-keyring depends on gnupg, which is only needed to
make apt-key useful. But apt-key doesn't provide essential functionality
in apt, since the debian archive key is already loaded. For performing the
actual verification, gpgv should be enough.
See attached patch (also corrects a minor mistake in a gpgv method error
message).
-- System Information:
Debian Release: lenny/sid
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-amd64
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)
Versions of packages apt depends on:
ii debian-archive-keyring 2007.07.31~etch1 GnuPG archive keys of the Debian a
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii libgcc1 1:4.1.1-21 GCC support library
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
apt recommends no packages.
-- no debconf information
diff -urp apt-0.7.9.old/debian/control apt-0.7.9/debian/control
--- apt-0.7.9.old/debian/control 2007-07-31 01:26:07.000000000 +0200
+++ apt-0.7.9/debian/control 2007-11-24 10:28:12.000000000 +0100
@@ -10,11 +10,11 @@ XS-Vcs-Bzr: http://bzr.debian.org/apt/de
Package: apt
Architecture: any
-Depends: ${shlibs:Depends}, debian-archive-keyring
+Depends: ${shlibs:Depends}, gpgv
Priority: important
Replaces: libapt-pkg-doc (<< 0.3.7), libapt-pkg-dev (<< 0.3.7)
Provides: ${libapt-pkg:provides}
-Suggests: aptitude | synaptic | gnome-apt | wajig, dpkg-dev, apt-doc, bzip2, lzma
+Suggests: aptitude | synaptic | gnome-apt | wajig, dpkg-dev, apt-doc, bzip2, lzma, debian-archive-keyring
Section: admin
Description: Advanced front-end for dpkg
This is Debian's next generation front-end for the dpkg package manager.
diff -urp apt-0.7.9.old/methods/gpgv.cc apt-0.7.9/methods/gpgv.cc
--- apt-0.7.9.old/methods/gpgv.cc 2007-10-02 14:34:38.000000000 +0200
+++ apt-0.7.9/methods/gpgv.cc 2007-11-24 10:26:15.000000000 +0100
@@ -210,7 +210,7 @@ string GPGVMethod::VerifyGetSigners(cons
}
else if (WEXITSTATUS(status) == 111)
{
- ioprintf(ret, _("Could not execute '%s' to verify signature (is gnupg installed?)"), gpgvpath.c_str());
+ ioprintf(ret, _("Could not execute '%s' to verify signature (is gpgv installed?)"), gpgvpath.c_str());
return ret.str();
}
else
Reply to: