Package: apt Severity: wishlist Currently apt is using gpgv to verify Release.gpg files. It would probably be a good idea to use an implemenation of the SOP interface instead. SOP is short for "stateless OpenPGP", and it's a specification by Daniel Kahn Gillmor (dkg). See https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/ There are many implementations of that, including one for GnuPG. Having a consistent interface makes it easier to switch to a different implementation. The OpenPGP Interoperabiolity Test Suite (https://tests.sequoia-pgp.org/) uses this. If APT used SOP, it could even allow a sysadmin to choose what implementation they want. This would free apt from being locked into GnuPG without abandoning OpenPGP entirely. The SOP interface is pretty good for programmatic use. -- I want to build worthwhile things that might last. --joeyh
Attachment:
signature.asc
Description: PGP signature