[pkg-gnupg-maint] Bug#872368: gpgme: please adjust libgpgme11 dependency on gnupg package
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Nov 27 23:49:53 UTC 2017
On Mon 2017-11-27 13:54:06 +0100, Pierre Ynard wrote:
> I understand your point, and your drive for security is great. However
> to foster the use of free software we should get away from forcing users
> to install unwanted software. Due to the current circumstances, I refuse
> to proceed to any gnupg upgrade that would force on me all these new
> packages and services that I don't need. How does that make you feel?
Perhaps we need to consider shipping the same software (the full GnuPG
suite) in a single, monolithic package. That way, there won't be any
"new packages" for people to be upset about.
The current package split is designed to try to accomodate people who
really want a minimalist installation. However, it appears that it is
antagonizing those same people, so it might not be worth maintaining.
Would you be happier if there were fewer binary packages?
As for "new services", there are *no* new services started by any of
these packages on a standard debian system if the functionality is not
requested. There are sockets opened by the user's systemd session
manager, but the services themselves do not run unless someone tries to
access them. If they try to access them, then presumably that implies
that they want them installed, no?
The fact is, libgpgme explicitly fails in many use cases if gpg-agent or
dirmngr are not available. This partial, unpredictable failure is not
acceptable for a library package.
> Regarding what I said about the manual setup step: if you want to foster
> and implement the core role of encryption in email, then I would suggest
> to go all the way with an out-of-the-box experience and set up automatic
> private key creation on package configuration or first launch;
reasonable mail user agents are doing exactly that. Please see
https://autocrypt.org/ for more discussion of this approach.
If you would like to encourage the Mutt developers to consider
the Autocrypt, that would be great!
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20171127/c593ea26/attachment-0001.sig>
More information about the pkg-gnupg-maint
mailing list