Bug#620064: apt: please drop dependency on gnupg

To: 620064@bugs.debian.org
Subject: Bug#620064: apt: please drop dependency on gnupg
From: Carsten Hey <carsten@debian.org>
Date: Thu, 31 Mar 2011 16:11:39 +0200
Message-id: <[🔎] 20110331141139.GY31514@furrball.stateful.de>
Mail-followup-to: Carsten Hey <carsten@debian.org>, 620064@bugs.debian.org
Reply-to: Carsten Hey <carsten@debian.org>, 620064@bugs.debian.org
In-reply-to: <[🔎] 20110331001830.GA2093@buster.stateful.de>
References: <[🔎] 20110329163237.GV31514@furrball.stateful.de> <[🔎] AANLkTikVHcfhA_OhNzyMJMFTRp7HPbvMe7PMFSMTc6Pe@mail.gmail.com> <[🔎] 20110329193056.GX31514@furrball.stateful.de> <[🔎] AANLkTikXdB4qDThrGhwf8mZKtawV5Duw8vpmoce4zY9N@mail.gmail.com> <[🔎] 20110331001830.GA2093@buster.stateful.de>

* Carsten Hey [2011-03-31 02:18 +0200]:
> * David Kalnischkies [2011-03-30 18:11 +0200]:
> > It doesn't currently (command not found), but after all, what is a
> > 'sane way' to fail?
>
> ...
>
> Patch attached.

This patch was a bit too simple, since it does not allow net-update or
help to be run. I could prepare a improved patch if you want me to so.

> I attached an example postinst for keyring packages. It currently does
> not handle migration from keyring packages using apt-key to the new
> interface. It also does not handle removing keys (would be the wrong
> script anyway ;)).

There could be a debhelper command (either as part of debhelper itself
or an extra package ideally maintained by the APT team) for keyrings
that installs the maintainer scripts and places the keyrings into
/usr/share/keyrings.  On the other hand, it would only be used by a few
packages.  Advantage (besides avoiding everyone inventing their own
scripts) would be that future changes would only require one package to
be changed.  This debhelper command could also handle the dependency on
gpgv.

If you want to recommend d-a-k instead of depend on it, debootstrap and
cdebootstrap should also install d-a-k if they install apt. Appropriate
bugs would need to be filed.

Files in /usr/share/keyrings must not be changed by apt-key.  One way to
ensure this could be:
 * Keyring packages installing links to trusted.gpg.d set their
   permissions to 444 (not writable).  This could be handled by
   dh_fixperms.
 * apt-key checks if the keyring to be changed is a symlink (maybe
   additional if it is outside of /etc?) to a file without write
   permissions.  If it is, it replaces the symlink with the keyring file
   and then changes it.

If keyrings are splitted into multiple files could be up to the keyring
maintainers.  apt-key could try to handle keyrings with a single key in
a sane way, for example, if such a key is removed just remove the
symlink.

After apt-key has been improved, possibly debootstrap, cdebootstrap
and/or debhelper have been adapted and the example/template maintainer
scripts have been approved by the APT team (you), bugs against the
keyring packages could be filed.  After the fix for apt's postinst has
been applied apt's dependency on gnupg could IMHO be dropped.


Regards
Carsten

Reply to:

References:
- Bug#620064: apt: please drop dependency on gnupg
  - From: Carsten Hey <carsten@debian.org>
- Bug#620064: apt: please drop dependency on gnupg
  - From: David Kalnischkies <kalnischkies+debian@gmail.com>
- Bug#620064: apt: please drop dependency on gnupg
  - From: Carsten Hey <carsten@debian.org>
- Bug#620064: apt: please drop dependency on gnupg
  - From: David Kalnischkies <kalnischkies+debian@gmail.com>
- Bug#620064: apt: please drop dependency on gnupg
  - From: Carsten Hey <carsten@debian.org>

Prev by Date: Bug#620064: apt: please drop dependency on gnupg
Next by Date: Bug#620249: apt: specific+general pin chooses wrong package version
Previous by thread: Bug#620064: apt: please drop dependency on gnupg
Next by thread: Processed: block #620064 by #387688 and remove wontfix tag form #387688
Index(es):
- Date
- Thread