[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1103625: modernize-sources: use .pgp file extension for debian-archive-keyring

Hi!

On Fri, 2025-09-12 at 08:59:10 +0200, Julian Andres Klode wrote:
> On Wed, Aug 27, 2025 at 01:41:19PM +0200, Guillem Jover wrote:
> > On Sat, 2025-04-19 at 21:02:47 +0200, Julian Andres Klode wrote:
> > > So the .pgp extension is reserved for PGP messages, not keys.
> > > 
> > > This needs to be resolved by the IETF WG, and the change in the
> > > keyring package was premature.
> > > 
> > > The only file extension for keys is .asc for armored ones.
> > 
> > I think that to keep using .gpg is worse, because I don't think there's
> > even a MIME type for .gpg? At least none that I could see in the
> > /etc/mime.types anyway. For example file --mime-types returns the correct
> > thing anyway.
> > 
> > My take is that the MIME definition is not exhaustive, so I don't see a
> > conflict if it's "missing types". And my perception is that MIME types
> > get registered after demonstrated usage?

And to clarify, I think .pgp has pre-existing demonstrated usage, from
even before GnuPG was around.

> > Julian asked if file did application/pgp-keys for .pgp keys, and this
> > was my reply:
> > 
> >   $ file --mime-type /usr/share/keyrings/debian-archive-trixie-automatic.pgp
> >   /usr/share/keyrings/debian-archive-trixie-automatic.pgp: application/pgp-keys
> > 
> > It just checks the contents the same with a .gpg one for example:
> > 
> >   $ file --mime-type /usr/share/keyrings/debian-maintainers.gpg
> >   /usr/share/keyrings/debian-maintainers.gpg: application/pgp-keys
> > 
> > So I don't see much of a problem here, and I think it would be best if we
> > could move away from this naming pattern, as that entrenches GnuPG usage
> > as a synonym for OpenPGP which seems rather unfortunate.
> > 
> > And for example for the apt modernize stuff I think it would be great if
> > it could check whether the current pathname referred is a symlink and
> > then use that (or perhaps if the symlink target is named .pgp if you want
> > to be more specific).
> > 
> > Julian then replied that the code could be made to just look for a
> > .pgp first.
> 
> Now the uapi group standardized .openpgp as the file extension
> for keys in the 
> 
>     File Hierarchy for the Verification of OS Artifacts (VOA)
> 
> specification, but also specifies they must be ASCII armored,
> that is, they match our .asc extension.
> 
> So this of course begs the question of whether to support .openpgp
> as an extension, but also maybe we should prefer .asc - despite .asc
> having higher overhead - since it's a nicer file format to work
> with in practical applications.

I don't find the .openpgp extension choice to be great. It is very long,
it is going to be confusing alongside the pre-existing usage of .pgp for
binary artifacts, and it ignores the existing usage of .asc. I could
agree that «.asc» was not a great choice (given its potentially generic
naming), but I think it's pretty ubiquitously recognized as OpenPGP ASCII
Armor by now.

I'd rather we do not make this even more confusing. :/

Thanks,
Guillem
Reply to: