Hi Apt maintainers (and fellow debian GnuPG maintainers)-- i just wanted to see if we can get any action on this old bug report: On Tue 2011-03-29 12:32:37 -0400, Carsten Hey wrote: > please drop apt's dependency on gnupg. We've talked about this in a few different contexts: it would be great to have apt Depend: strictly on gpgv instead of the full gnupg package. APT should really only be verifying OpenPGP signatures, and gpgv is a dedicated tool for doing that as cleanly and simply as possible. I understand that there's an "apt-key adv" function that expects a full /usr/bin/gpg, and an "apt-key net-update" that is available in ubuntu (but not in debian) which probably does the same. From apt-key(8): adv Pass advanced options to gpg. With adv --recv-key you can e.g. download key from keyservers directly into the the trusted set of keys. Note that there are no checks performed, so it is easy to completely undermine the apt-secure(8) infrastructure if used without care. [...] net-update Perform an update working similarly to the update command above, but get the archive keyring from a URI instead and validate it against a master key. This requires an installed wget(1) and an APT build configured to have a server to fetch from and a master keyring to validate. APT in Debian does not support this command, relying on update instead, but Ubuntu's APT does. Both of these things aren't things we should expect normal system administrators to use -- they're dangerously insecure; and net-update even explicitly says that it won't work without an extra package installed. Perhaps we could make them both explicitly ask for "an installed gpg(1)"? I think apt-key also depends on gpg for the following subcommands: list finger export exportall I'd be fine with having those fail if gnupg isn't installed. As i mentioned in another bug report, "list" and "finger" shouldn't be used for machine-parseable output anyway, so a warning visible to the user ("please install gnupg to use apt-key list") and an error return should be OK. "export" selects a key by keyid or fingerprint, and would probably need gpg's key management capabilities to be able to find the relevant key. Again, i think it's ok for that to fail if gnupg isn't installed. "exportall" (as well as "export") doesn't have any documented format expectations, but in practice, people probably expect them to be blobs in OpenPGP ASCII-armored format. This is pretty simple to calculate (it's base64-encoding with a trailing CRC). We could make "exportall" work without gpg by using cat and a little hand-crafted OpenPGP ASCII-armoring subroutine if we want it to work without having gpg installed. The commands: add del update should all be able to work with cat and cp. So with respect to apt-key, it seems like we could move gnupg out of "Depends" and into "Recommends" or "Suggests" with a few small changes. Other than apt-key, are there any other pieces that would prevent apt From moving to a depenency on gpgv instead of gnupg? Regards, --dkg
Attachment:
signature.asc
Description: PGP signature