Morning, I had the most peculiar incident just now. KNewstuff shouted at me because I have no bin/gpg(2). As it turns out core/security.cpp implements some form of gpg signing verification. Based on the gpg CLI app.
Naturally, I am perplexed by this because CMake doesn't actually report gpg as a RUNTIME dep. that's not really the problem though. The problem is in core/installation.cpp where the Security class is "used". It is used by: ctoring and setting up signal connections and then the following marvel happens: > // ==== FIXME: security code below must go above, when async handling is > complete ==== > > // FIXME: security object lifecycle - it is a singleton! > Security *sec = Security::ref(); > > // FIXME: change to accept filename + signature > sec->checkValidity(QString()); I am pretty sure that is no-op. Except for the fact that knewstuff will complain visually [1] if gpg is not found in $PATH. There is a bunch of issues with all of this: - Security isn't actually used - Security operates the bin/gpg CLI rather than using libgpgme which supposedly would fit here? - The gpg requirement is not codified in cmake - The class while saying it is private and not meant to be used, actually installs its header and exports itself -.- - The class doesn't even have an actual development history in git (sans mass refactoring and a workaround for the very noop code seen above) I move that we remove every "usage" of the Security class, mark the entire thing deprecated and rip it out with KF6. If no one has objections I'll prep a review for this tomorrow. [1] http://i.imgur.com/joGDtfT.png HS
