Hi Ivan-- On Sun 2017-01-29 13:57:19 -0500, Ivan Shmakov wrote: > [Apologies for not actually checking if the problem described is > relevant to Debian testing.]
i'm not sure which exact problem is the one you think is most important,
but if this is it:
> Long story short, I’ve recently tried to install Mutt on a
> “headless,” tty-over-SSH-only server. To my surprise, APT found
> that it depends on libgtk2.0-0! Thankfully, no, Mutt wasn’t
> upgraded to provide a GUI; the problem was in the
> ‘pinentry-gtk2’ package – which is required by gnupg-agent,
> which is in turn required by gnupg2, and thus libgpgme11.
> (JFTR, I’m aware of pinentry-curses.)
then you'll be glad to know that the depenencies in debian testing are
such that pinentry-curses is the only thing that would be installed
automatically on a headless server. I think that's a reasonable
tradeoff.
Note that even on jessie, if you do:
apt install pinentry-curses
apt install mutt
then you dont' get the heavyweight libgtk dependency chain.
> To make things weirder, Mutt doesn’t even /use/ GPGME in its
> default settings (whether upstream or Debian; see below); but of
> course being built with such support, the binary (or, rather,
> ld.so) requires the library to run.
i believe (and hope!) that newer versions of mutt will use gpgme by
default.
> And indeed, providing an otherwise empty, “fake” gnupg2 package
> [1] made it possible to install and use Mutt with no obvious ill
> effects (using [2] as the test file.) For instance:
this seems like a lot of work, compared to just manually installing
pinentry-curses before installing mutt, no?
> From the above, I conclude that ‘gnupg2’ is not strictly
> necessary to run Mutt (and presumably other packages built with
> GPGME support), and thus per [3] (quoted below) should be
> requested with Recommends: rather than Depends:.
you're doing pretty heavy surgery on these tools in order to reach a
"graceful" failure state. If you're ok doing that surgery, then i'm ok
with you getting to deal with the aftereffects ;)
As a maintainer, though, i'd really rather have the defaults Just Work.
I agree with you that the default dependency chain in Jessie is too
heavy (see https://bugs.debian.org/764292), but it's rather complicated
to switch that around in jessie today. It will be better in stretch. :)
> This issue is perhaps less relevant to Debian testing, as there
> GnuPG 2 finally replaced GnuPG 1. Still, it’s possible to rely
> on the ‘gpgv’ package for OpenPGP signature validation (just as
> ‘apt’ does), and avoid the use of the full-weight ‘gnupg’
> package.
I don't think that's technically correct, for either mutt or for
libgpgme. gpgv is a specially-targeted tool, which expects a
well-curated keyring and does not do any certificate validation or
management. If there's a way that people are trying to use gpgv with
mutt, i'd like to hear about it though!
I'm going ahead and closing this bug because i think the underlying
request has already been addressed quite some time ago in testing (see
#764292, as mentioned above), but feel free to keep chatting here or on
pkg-gnupg-ma...@lists.alioth.debian.org if you want to follow up.
Thanks for the report,
--dkg
signature.asc
Description: PGP signature
