Re: python-apt gnupg dependency

To: deity@lists.debian.org
Subject: Re: python-apt gnupg dependency
From: <harald@a-little-linux-box.at>
Date: Sun, 9 Oct 2016 17:31:24 +0200
Message-id: <[🔎] 20161009153126.75FFB28091@i-am.a-little-linux-box.at>
In-reply-to: <[🔎] 20161007213232.GA16221@debian.org>
References: <[🔎] 20161007191156.450B2280DF@i-am.a-little-linux-box.at> <[🔎] 20161007213232.GA16221@debian.org>

Hello Julian,

On Fri, Oct 07, 2016 at 09:33:51PM +0200, Julian Andres Klode wrote:

first thanks for the prompt reply and the good work you do!

> python-apt's apt.auth module uses the gpg binary.

Does this hold true for both python-apt and python3-apt? I ask because
the python3-apt package lacks any depedency on gnupg, wether it's
version 1 or 2...

> It should work with
> both versions,

Ok thanks for the info so in case I may just do a local rebuild with a
changed control file.

> but I don't want to add a fallback to an old gpg version
> for a module we have to deprecate anyway.

While I think you have a valid point I think python-apt can't go away so
fast:

apt-rdepends -r python-apt
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-apt
  Reverse Depends: apprecommender (0.6.2.3-1)
  Reverse Depends: apt-forktracer (>= 0.5)
  Reverse Depends: apt-p2p (>= 0.1.8)
  Reverse Depends: apt-transport-spacewalk (1.0.6-4.1)
  Reverse Depends: apt-xapian-index (>= 0.48)
  Reverse Depends: aptoncd (>= 0.1.98+bzr117-1.4)
  Reverse Depends: bcfg2 (>= 1.4.0~pre1+git18-gea63477-1)
  Reverse Depends: bzr-builddeb (2.8.10)
  Reverse Depends: dblatex (0.3.8-1)
  Reverse Depends: debpartial-mirror (>= 0.3.1+nmu1)
  Reverse Depends: debsecan (0.4.18)
  Reverse Depends: isenkram (0.27)
  Reverse Depends: mini-dinstall (>= 0.6.30)
  Reverse Depends: ovirt-guest-agent (1.0.12.2.dfsg-1)
  Reverse Depends: piuparts-common (0.72)
  Reverse Depends: python-apport (>= 2.19.3-1)
  Reverse Depends: python-apt-dbg (= 1.1.0~beta5)
  Reverse Depends: python-apt-dev (>= 1.1.0~beta5)
  Reverse Depends: python-cdd (>= 0.0.11+nmu1)
  Reverse Depends: python-dogtail (>= 0.9.9-1)
  Reverse Depends: python-germinate (>= 2.25)
  Reverse Depends: python-linaro-image-tools (2016.05-1)
  Reverse Depends: rebuildd (>= 0.4.2)
  Reverse Depends: reportbug-ng (>= 2.1)
  Reverse Depends: rhn-client-tools (>= 2.3.5-1)
  Reverse Depends: salt-common (2016.3.2+ds-1)
  Reverse Depends: ubuntu-dev-tools (>= 0.157)
  Reverse Depends: xdeb (>= 0.6.6)

And gnupg1 is still actively maintainend, at least it receives security
updates:

Security fixes for Libgcrypt and GnuPG 1.4 (2016-08-17)   important

A bug in the random number generator of Libgcrypt and in GnuPG 1.4 has
been found. Updating the software is highly suggested. Please read this
mail for details. Note that the CVE id in that mail is not correct, the
correct one is CVE-2016-6313.

So maybe you could rethink your decision as IMHO gnupg1 provides a much
smaller footprint than gnupg2 (no agent or dirmanager)?

My suggestion would be:

Depends: ..., gnupg | gnupg1, dirmngr | gnupg1

Kind regards
Harald Jenny

Reply to:

References:
- python-apt gnupg dependency
  - From: <harald@a-little-linux-box.at>
- Re: python-apt gnupg dependency
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Bug#840168: Slight update
Next by Date: Bug#726174: apt: APT::Get::Upgrade-Allow-New installs new packages when depending package isn't upgraded
Previous by thread: Re: python-apt gnupg dependency
Next by thread: Bug#840119: Cannot disable pdiffs
Index(es):
- Date
- Thread