On Thu, Jul 27, 2017 at 10:27:19AM +0000, Debian Bug Tracking System wrote: > On Thu, Jul 27, 2017 at 12:01:11PM +0200, Harald Dunkel wrote: > > Apparently apt-key requires gnupg even for Stretch: > > > > root@stretch3:~# apt-key list > > E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation > > > > The system was setup using debootstrap. For Jessie there > > was no such problem. > > Not requiring gpg anymore is one of the key features in stretch. It was also not an arbitrary decision by us, but gnupg maintainers itself requested it, too, as it solves many problems in the long run. > > I would strongly recommend to move gnupg and its alternatives > > to Depends, as it was for Jessie. apt-key is essential for > > managing signed packages, which is one of the key features > > of Debian (IMHO). > > apt-key is an optional tool that is not needed for normal > operation (at least not the stuff requiring gpg). The apt-key functionality needing gpg can also be considered harmful if not used with extreme care, which most people don't. If you know that gpg only very recently learned (to some degree) to check that if key A is requested, that it actually got key A and not key B (and C) you can get very scared by all the $searchengine hits on "apt-key adv" usage with --recv-keys and --refresh-keys. Slightly sad is perhaps only missing 'apt-key list', but then again if you really NEED it, the error message is clear enough on what you need to do as a one-time step to get it without forcing it upon everyone else who is likely to never use apt-key. As key management is best done via -keyring packages perhaps it would be a good idea to implement list in a way of showing which keyrings belong to which package (and which do not belong to any package, aka created by user). I will leave that up for someone to decide & work on who is a lot more interested in third-party repositories, through. Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature