Your message dated Fri, 1 Jul 2016 18:40:16 +0200 with message-id <20160701164016.GA2216@crossbow> and subject line Re: Bug#620064: apt: please drop dependency on gnupg has caused the Debian Bug report #620064, regarding apt: please drop dependency on gnupg to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 620064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620064 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apt: please drop dependency on gnupg
- From: Carsten Hey <carsten@debian.org>
- Date: Tue, 29 Mar 2011 18:32:37 +0200
- Message-id: <20110329163237.GV31514@furrball.stateful.de>
- Mail-followup-to: Carsten Hey <carsten@debian.org>, submit@bugs.debian.org
Package: apt Severity: wishlist Hi, please drop apt's dependency on gnupg. There has already been some discussion in related bugs #387688 and #558784. Having a dependency on gnupg in both, apt/squeeze and debian-archive-keyring/squeeze prevents problems with partial upgrades after this bug has been fixed. Regards Carsten
--- End Message ---
--- Begin Message ---
- To: Daniel Kahn Gillmor <dkg@debian.org>, 620064-done@bugs.debian.org
- Cc: Carsten Hey <carsten@debian.org>, Debian GnuPG packaging <pkg-gnupg-maint@lists.alioth.debian.org>
- Subject: Re: Bug#620064: apt: please drop dependency on gnupg
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Fri, 1 Jul 2016 18:40:16 +0200
- Message-id: <20160701164016.GA2216@crossbow>
- Mail-followup-to: David Kalnischkies <david@kalnischkies.de>, Daniel Kahn Gillmor <dkg@debian.org>, 620064-done@bugs.debian.org, Carsten Hey <carsten@debian.org>, Debian GnuPG packaging <pkg-gnupg-maint@lists.alioth.debian.org>
- In-reply-to: <[🔎] 8737nt1kza.fsf@alice.fifthhorseman.net>
- References: <20110329163237.GV31514@furrball.stateful.de> <[🔎] 8737nt1kza.fsf@alice.fifthhorseman.net>
Version: 1.3~exp1 On Fri, Jul 01, 2016 at 10:39:05AM -0400, Daniel Kahn Gillmor wrote: > On Tue 2011-03-29 12:32:37 -0400, Carsten Hey wrote: > > please drop apt's dependency on gnupg. > > We've talked about this in a few different contexts: it would be great > to have apt Depend: strictly on gpgv instead of the full gnupg > package. Slightly ahead of you: I actually moved it to Recommends for the upcoming 1.3 release already. That version also complains about the reason why it is a Recommends for now: apt-key being called from maintainer scripts to add/remove keys. That is discouraged for years by now, but for now we have remains in Debian itself (e.g. #390449, but that seems to be solved some way or another eventually) and at least a bunch of third-party packages (I was told). Given that there still exists things which use 'add' there is still a need for 'del', so assuming all the bad guys are fixed in stretch, buster will have an apt just suggesting gnupg… In my book apt-key has very very limited real uses¹ compared to the heap of things it is used for but shouldn't be anymore (like adding keys) – and triggered by this (and the other bugreport) I am working on making that a bit more obvious with more runtime warnings and manpage disclaimers now… I somehow doubt this is going to help much (based on how the insecure repository thing moved over the years and that was a lot more visible) but at least we can point to ignored warning then. Best regards David Kalnischkies ¹ ironically, I think list (aka finger) is 99% of the valid usesAttachment: signature.asc
Description: PGP signature
--- End Message ---