hi debian installer folks-- this message is not urgent, just a heads-up to the debian installer folks (and the pkg-gnutls folks, since libksba comes up later) from a gnupg maintainer. (i don't think i'm subscribed to debian-boot, please keep me cc'ed!)
i believe the installer relies on gpgv for archive manifest signature
verification. we have gpgv-udeb for that purpose, i think.
It's likely that at some point (i'm hoping before stretch) we'll want to
move most of our GnuPG reliance to the 2.1 branch, since that will allow
us to take advantage of stronger, smaller, faster cryptography and will
also help to keep our tools aligned with where upstream's main
development focus is.
As a result, i'd like to consider moving the gpgv udeb over to the
gnupg2 package sometime soon.
gpgv2 has more dependencies than gpgv, though:
gpgv2 Depends: libbz2-1.0, libc6 (>= 2.14), libgcrypt20 (>= 1.6.1),
libgpg-error0 (>= 1.14), libksba8 (>= 1.2.0), zlib1g (>= 1:1.1.4)
gpgv Depends: libbz2-1.0, libc6 (>= 2.14), zlib1g (>= 1:1.1.4)
so we're talking about adding three dependencies as udebs:
libgcrypt20, libgpg-error0, libksba8
Of these three dependencies:
* gpg-error is simple/small/trivial: i don't think it's particularly
objectionable, and there's already a udeb for it.
* libgcrypt is the actively-developed crypto library that the we want
to rely on instead what's effectively an embedded stripped-down copy
in gpgv, so i think this is an actively good dependency to add.
libgcrypt also already has a udeb.
* libksba8 is the X.509 and CMS support library used by GnuPG. we
probably don't strictly need this for the installer (our archive
signatures use OpenPGP signatures and not CMS). I can work on a
stripped-down build of gpgv2 that doesn't have this dependency if we
think that would be useful for minimizing the installer.
Alternately, I can work with pkg-gnutls to add a udeb for libksba
(we've already discussed the possibility of transferring the libksba
from pkg-gnutls to pkg-gnupg)
let me know if you have any concerns, preferences, or questions about
this work, and if you have specific time windows that it would be good
to aim for.
Regards,
--dkg
signature.asc
Description: PGP signature
