[pkg-gnupg-maint] Bug#620064: apt: please drop dependency on gnupg

Daniel Kahn Gillmor dkg at debian.org
Fri Jul 1 14:39:05 UTC 2016 

Hi Apt maintainers (and fellow debian GnuPG maintainers)--

i just wanted to see if we can get any action on this old bug report:

On Tue 2011-03-29 12:32:37 -0400, Carsten Hey wrote:
> please drop apt's dependency on gnupg.

We've talked about this in a few different contexts: it would be great
to have apt Depend: strictly on gpgv instead of the full gnupg
package.

APT should really only be verifying OpenPGP signatures, and gpgv is a
dedicated tool for doing that as cleanly and simply as possible.

I understand that there's an "apt-key adv" function that expects a full
/usr/bin/gpg, and an "apt-key net-update" that is available in ubuntu
(but not in debian) which probably does the same.  From apt-key(8):

       adv
           Pass advanced options to gpg. With adv --recv-key you can e.g.
           download key from keyservers directly into the the trusted set of
           keys. Note that there are no checks performed, so it is easy to
           completely undermine the apt-secure(8) infrastructure if used
           without care.

 [...]

       net-update
           Perform an update working similarly to the update command above,
           but get the archive keyring from a URI instead and validate it
           against a master key. This requires an installed wget(1) and an APT
           build configured to have a server to fetch from and a master
           keyring to validate. APT in Debian does not support this command,
           relying on update instead, but Ubuntu's APT does.

Both of these things aren't things we should expect normal system
administrators to use -- they're dangerously insecure; and net-update
even explicitly says that it won't work without an extra package
installed.  Perhaps we could make them both explicitly ask for "an
installed gpg(1)"?

I think apt-key also depends on gpg for the following subcommands:

  list
  finger
  export
  exportall

I'd be fine with having those fail if gnupg isn't installed.

As i mentioned in another bug report, "list" and "finger" shouldn't be
used for machine-parseable output anyway, so a warning visible to the
user ("please install gnupg to use apt-key list") and an error return
should be OK.

"export" selects a key by keyid or fingerprint, and would probably need
gpg's key management capabilities to be able to find the relevant key.
Again, i think it's ok for that to fail if gnupg isn't installed.

"exportall" (as well as "export") doesn't have any documented format
expectations, but in practice, people probably expect them to be blobs
in OpenPGP ASCII-armored format.  This is pretty simple to calculate
(it's base64-encoding with a trailing CRC).  We could make "exportall"
work without gpg by using cat and a little hand-crafted OpenPGP
ASCII-armoring subroutine if we want it to work without having gpg
installed.

The commands:

 add
 del
 update

should all be able to work with cat and cp.

So with respect to apt-key, it seems like we could move gnupg out of
"Depends" and into "Recommends" or "Suggests" with a few small changes.

Other than apt-key, are there any other pieces that would prevent apt
From moving to a depenency on gpgv instead of gnupg?

Regards,

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160701/df718b26/attachment.sig>

More information about the pkg-gnupg-maint mailing list