[pkg-gnupg-maint] Changes for GnuPG in debian

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Aug 4 18:57:51 UTC 2016 

Hi Bill--

On Thu 2016-08-04 13:39:53 -0400, Bill Allombert wrote:
> On Thu, Aug 04, 2016 at 12:29:03PM -0400, Daniel Kahn Gillmor wrote:
>> What does this mean for package maintainers?
>> --------------------------------------------
>> 
>> If you maintain a package that depends on `gnupg`: be aware that the
>> `gnupg` package in debian is going through this transition.
>> 
>> A few general thoughts:
>> 
>>  * If your package `Depends: gnupg` for signature verification only,
>>    you might prefer to have it `Depends: gpgv` instead.  `gpgv` is a
>>    much simpler tool that the full-blown GnuPG suite, and should be
>>    easier to manage.  I'm happy to help with such a transition (we've
>>    made it recently with `apt` already)
>
> How will that work for popularity-contest ?
> popularity-contest use gpg for encryption and not signature, and this
> is not handled by gpgv.

Thanks for the prompt followup!  I just did a quick scan of
popularity-contest and it looks to me like it all works smoothly with
2.1 providing /usr/bin/gpg.

> Specifically in /etc/cron.daily/popularity-contest
>
>   GPGHOME=`mktemp -d`
>   $GPG --batch --no-options --no-default-keyring --trust-model=always \
>        --homedir "$GPGHOME" --keyring $KEYRING --quiet \
>        --armor -o "$POPCONGPG" -r $POPCONKEY --encrypt "$POPCON"
>   rm -rf "$GPGHOME"

This looks fine.  If you're willing to Depends: gnupg (>= 2.1.14) in the
future, you could change this to use "--recipient-file $KEYRING" instead
of "--trust-model=always --keyring $KEYRING -r $POPCONKEY", but given
that the current code works on all versions i'd recommend that you just
keep it as it is.

One proposed cleanup patch is attached (use fingerprints instead of
keyids as a general best practice!), but shouldn't be immediately
necessary or relevant to the upgrade.

Please let us know if you have any other questions or run into any
trouble.

Regards,

        --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-use-full-OpenPGP-fingerprint-instead-of-key-ID.patch
Type: text/x-diff
Size: 690 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160804/8b957d5a/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160804/8b957d5a/attachment.sig>

More information about the pkg-gnupg-maint mailing list