Bug#620064: apt: please drop dependency on gnupg
On Tue, Mar 29, 2011 at 18:32, Carsten Hey <carsten@debian.org> wrote:
> please drop apt's dependency on gnupg.
>
> There has already been some discussion in related bugs #387688 and
> #558784.
How do we move forward if d-a-k as well as APT do not depend on gnupg
anymore while d-a-k in its current state needs it to add its keys to
the trusted.gpg file through apt-key?
For me a plan looks more like:
- switch all keyring packages to store their keyrings in the new (=squeeze
supports it) trusted.gpg.d directory - at best even more fragments if it
makes sense, e.g. oldstable keys in an other file than the one for testing.
Links are fine, too.
- all keyrings recommend gpgv as thats enough for APT to check the signature,
or depend on gpgv - depends on (pun intended) if you want to be able to use
the keyring without APT or not…
- remove the gnupg dependency from APT
(- remove the apt dependency from all keyring packages)
(- downgrade APTs d-a-k dependency to a recommend)
- close all three bugs mentioned in this bugreport here
I tried to convert the debian-archive-keyring recently, but failed at the
attempt to split the keyring into different files - but yeah, ultimately,
you (as in debian) shouldn't trust a patch from someone without an official
status like me anyway in such a security sensitive context, so feel free to
make it happen yourself: i would be happy about it at least (beside that I
have done the split on my local machine by hand for testing proposes anyway).
Best regards
David Kalnischkies
Reply to: