On Tue, Apr 26, 2016 at 06:33:29AM +0200, Dr. Markus Waldeck wrote: > > There is no need to from the APT side, apt >= 1.1 calls gpg(v)(2) > > consistently with single keyring (after potentially merging multiple > > together with cat as we discussed last year in the apt-vs-gpg2 thread). > > Based on this statement I aligned /var/lib/dpkg/status and removed the > dependency on "gnupg | gnupg2". But apt-get worked still fine for me. > > Unfortunately the NEW package apt 1.2.11 depends still on "gnupg | gnupg2". > WTF? "WTF?" Relax man. I said what /I/ am thinking as someone who did most of the apt-key related changes recently, not what the /team/ is thinking and given that Julian posted a different opinion ealier and Michael hasn't yet I am not in the mood for a my way or the highway approach. We maybe deities, but the greek/roman version which aren't perfect and which have to talk and agree if they don't want to kill each other – aka the usual problems of polytheism. Beside, there are still questions open: If Werner as upstream is e.g. against the cat'ing of the 'simple' keyrings (!= keyboxes) as a supported interface that whole thread becomes pointless as gnupg is a hard-dependency of apt then. And of course: What about the requested (sub)key import in the mentioned wishlist-bug… Perhaps the idea of not needing gnupg for the basic task of verifying the signature of a file is all eyewash given that the verify itself can be done with gpgv, but to setup a suitable environment to run it in gpg is (maybe) needed… If you don't have an answer to those questions, please don't "WTF" us as that is mean and devalues the people & work involved. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature