Bug#620064: apt: please drop dependency on gnupg

[David Kalnischkies <kalnischkies+debian@gmail.com>]

On Tue, Mar 29, 2011 at 18:32, Carsten Hey <carsten@debian.org> wrote:
> please drop apt's dependency on gnupg.
>
> There has already been some discussion in related bugs #387688 and
> #558784.

How do we move forward if d-a-k as well as APT do not depend on gnupg
anymore while d-a-k in its current state needs it to add its keys to
the trusted.gpg file through apt-key?

For me a plan looks more like:
- switch all keyring packages to store their keyrings in the new (=squeeze
  supports it) trusted.gpg.d directory - at best even more fragments if it
  makes sense, e.g. oldstable keys in an other file than the one for testing.
  Links are fine, too.
- all keyrings recommend gpgv as thats enough for APT to check the signature,
  or depend on gpgv - depends on (pun intended) if you want to be able to use
  the keyring without APT or not…
- remove the gnupg dependency from APT
(- remove the apt dependency from all keyring packages)
(- downgrade APTs d-a-k dependency to a recommend)
- close all three bugs mentioned in this bugreport here


I tried to convert the debian-archive-keyring recently, but failed at the
attempt to split the keyring into different files - but yeah, ultimately,
you (as in debian) shouldn't trust a patch from someone without an official
status like me anyway in such a security sensitive context, so feel free to
make it happen yourself: i would be happy about it at least (beside that I
have done the split on my local machine by hand for testing proposes anyway).


Best regards

David Kalnischkies