Bug#1016843: apt: should probably use "sop" for OpenPGP

[Paul Schaub <vanitasvitae@mailbox.org>]

Hey :)

On Mon, 8 Aug 2022 15:33:21 +0200 Julian Andres Klode <jak@debian.org> 
wrote:

> Control: tag -1 moreinfo
>
> On Mon, Aug 08, 2022 at 01:54:16PM +0300, Lars Wirzenius wrote:
> > Package: apt
> > Severity: wishlist
> >
> > Currently apt is using gpgv to verify Release.gpg files. It would
> > probably be a good idea to use an implemenation of the SOP interface
> > instead. SOP is short for "stateless OpenPGP", and it's a
> > specification by Daniel Kahn Gillmor (dkg). See
> >
> > https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/
> >
> > There are many implementations of that, including one for GnuPG.
> > Having a consistent interface makes it easier to switch to a different
> > implementation. The OpenPGP Interoperabiolity Test Suite
> > (https://tests.sequoia-pgp.org/) uses this.
>
> It's a draft and to my knowledge there are no suitable implementations

> yet?

There is Sequoia's `sqop`: https://packages.debian.org/stable/utils/sqop 
although that might not be suitable due to being written in rust.
PGPainless' `pgpainless-cli` is currently in the process of getting 
packaged for unstable.

> I want to phase out OpenPGP and do not see the point in undertaking
> this work.

Personally I'm not a fan of these plans, but those are just my 2 cents :)

Paul