Bug#1119944: marked as done (Unable to continue using gpgv on trixie)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 02 Nov 2025 18:55:10 +0100
with message-id <06DB4EBF-98ED-4A65-8101-3D1B38C2804B@debian.org>
and subject line Re: Bug#1119944: Unable to continue using gpgv on trixie
has caused the Debian Bug report #1119944,
regarding Unable to continue using gpgv on trixie
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1119944: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119944
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: bugs@debian.org
• Subject: Unable to continue using gpgv on trixie
• From: Dennis Camera <dennis.camera+debian@riiengineering.ch>
• Date: Sun, 2 Nov 2025 18:00:09 +0100
• Message-id: <[🔎] 20251102180009.23145c36.dennis.camera@riiengineering.ch>

Package: apt
Version: 3.0.3

Dear maintainers,

during the upgrade to Debian 13 (trixie) the sqv package was
automatically installed as indicated by the NEWS entry.

I support adding alternative methods for PGP verification and thus
effectively testing for non-portable behaviour.  However, I would prefer
to continue using GnuPG for PGP verification on my systems.
GnuPG is a battle-tested and proven PGP implementation which has not let
me down in all the years I've been using it.

The NEWS entry reads as if GnuPG (gpgv) is still supported by APT,
but I could not find a way to switch back to using gpgv.

sqv is now a hard dependency and if I `dpkg --force-depends -r sqv`,
APT generally continues to work, but fails on every package install or
upgrade due to the unsatisfied sqv requirement:

> root@debian-13:~# apt upgrade
> You might want to run 'apt --fix-broken install' to correct these.
> Unsatisfied dependencies:
>  apt : Depends: sqv (>= 1.3.0) but it is not installed
> Error: Unmet dependencies. Try 'apt --fix-broken install' with no
> packages (or specify a solution).

Looking at the dependencies of the source package I can see that both
sqv and gpgv are listed.
However, for the binary packages the dependency is either one or the
other.

Would it be possible to loosen the requirements encoded in the binary
packages to allow for both supported PGP implementations?

Thank you.

Best regards,
Dennis

--- End Message ---

--- Begin Message ---

• To: 1119944-close@bugs.debian.org
• Subject: Re: Bug#1119944: Unable to continue using gpgv on trixie
• From: Julian Andres Klode <jak@debian.org>
• Date: Sun, 02 Nov 2025 18:55:10 +0100
• Message-id: <06DB4EBF-98ED-4A65-8101-3D1B38C2804B@debian.org>
• In-reply-to: <[🔎] 20251102180009.23145c36.dennis.camera@riiengineering.ch>
• References: <[🔎] 20251102180009.23145c36.dennis.camera@riiengineering.ch>

On 2 November 2025 18:00:09 CET, Dennis Camera <dennis.camera+debian@riiengineering.ch> wrote:
>Package: apt
>Version: 3.0.3
>
>Dear maintainers,
>
>during the upgrade to Debian 13 (trixie) the sqv package was
>automatically installed as indicated by the NEWS entry.
>
>I support adding alternative methods for PGP verification and thus
>effectively testing for non-portable behaviour.  However, I would prefer
>to continue using GnuPG for PGP verification on my systems.
>GnuPG is a battle-tested and proven PGP implementation which has not let
>me down in all the years I've been using it.
>
>The NEWS entry reads as if GnuPG (gpgv) is still supported by APT,
>but I could not find a way to switch back to using gpgv.

Thank you for your bug report.

Unfortunately GnuPG has decided to abandon the OpenPGP standard and is therefore being phased out as it's no longer compatible with standards compliant implementations. This means some repositories simply might not work with it anymore.

It also does not implement safe coding practices, leading to command line options that are silently ignored in some cases because they were only meant to be used in some special modes, for example.

GnuPG also does not implement a safe interface for clients to verify files against. It returns successful exit codes for failed verifications, failing exit codes for successful verifications, and as a result requires parsing a very complex status fd protocol that is very easy to get wrong and I'm sure we still have bugs lurking there.

On the other side, sqv implements the OpenPGP standard, implements safe coding practices, and sensible default choices, allowing us to simply rely on it's exit status to be correct.

I hope you understand that given the startling security properties of GnuPG and their desire to abandon the common standard leaves us little choice.

-- 
sent from my phone, excuse the brevity, if any

--- End Message ---