Control: tag -1 moreinfo On Mon, Aug 08, 2022 at 01:54:16PM +0300, Lars Wirzenius wrote: > Package: apt > Severity: wishlist > > Currently apt is using gpgv to verify Release.gpg files. It would > probably be a good idea to use an implemenation of the SOP interface > instead. SOP is short for "stateless OpenPGP", and it's a > specification by Daniel Kahn Gillmor (dkg). See > > https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/ > > There are many implementations of that, including one for GnuPG. > Having a consistent interface makes it easier to switch to a different > implementation. The OpenPGP Interoperabiolity Test Suite > (https://tests.sequoia-pgp.org/) uses this. It's a draft and to my knowledge there are no suitable implementations yet? > > If APT used SOP, it could even allow a sysadmin to choose what > implementation they want. This would free apt from being locked into > GnuPG without abandoning OpenPGP entirely. APT must Depend on the default backend and we must make sure that this dependency is not satisfiable by other packages. Any non-default backend must be explicit configuration via config files, otherwise the risk of breaking updates due to implementation-specific bugs is just too great. I want to phase out OpenPGP and do not see the point in undertaking this work. This will likely introduce several CVEs, and still involves spawning subprocesses and parsing their output which is the thing that we want to get rid of in the first place. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Attachment:
signature.asc
Description: PGP signature