On Tue, Dec 03, 2024 at 04:34:52PM +0100, Julian Andres Klode wrote: > On Thu, Nov 21, 2024 at 09:16:20PM +0100, Julian Andres Klode wrote: > > I've just finished more or less, adjusting the APT test suite > > to test gpgv-sq. I plan to upload APT that tests gpgv-sq > > tomorrow. This ensures full compatibility between apt and > > gpgv-sq going forward. > > > > After that migrates to testing next week, I want to make > > the switch: APT by default should use gpgv-sq. Previous > > discussions with the security team did not reveal any > > blockers for that, despite the strenuous nature of > > security updates for Rust packages. > > This has been delayed. There's ongoing investigation into > sqv and sqopv, which are smaller verifiers from Sequoia, > measuring only 2MB and without an SQLite dependency, hence > saving about 6MB.
An sqv backend is now available in apt-team/apt!409 and in experimental in apt 2.9.17+exp1. Note that the experimental upload only supports architectures with sqv available. There is no fallback yet. The plan is to detect if sqv is available at build time, by build-depending on sqv for the correct set of architectures, and then generate a `Depends: sqv` for those architectures, and `Depends: gpgv` for other (ports) architectures. The sqv binary is about 2MB large when optimized for size, and provides good feedback when a key cannot be verified. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
signature.asc
Description: PGP signature
