[ dropping the gnupg bug and d-rele...@l.d.o from To:/CC: since this mail does not seem to be relevant there ]
* Philipp Kern [2010-08-22 11:24 +0200]: > On 08/22/2010 12:46 AM, Carsten Hey wrote: > >By removing the (currently indirect) apt dependencies on gnupg and > >libusb-0.1-4 and making apt depend on gpgv (or gpgv | gpgv-tiny) > >instead, 5272 kB could be saved. There are ways to accomplish this for > >Squeeze+1, how it could be done seems to be nothing that needs to be > >discussed before Squeeze is released. > > Please note that, due to how apt currently handles keyrings, you do > need a full gnupg available to run apt-key. The use of gpgv is only > implemented in the installer, as it uses only one keyring file. An > alternative might be looping over several keyrings using gpgv, to > verify the signature, instead of using a large one. But this wasn't > implemented yet, of course. This seems to be a good approach :) Just for the record, a few thoughts that might be relevant to fix this bug post-squeeze and summarising part of what already had been said: * apt itself uses gpgv, but apt-key needs a full gnupg to be available. In Squeeze apt and debian-archive-keyring will (presumably) depend on gnupg which makes dropping both dependencies on gnupg in Squeeze+1 easier. * One can pass multiple keyrings to gpgv on commandline. * apt 0.7.25.1 adds /etc/apt/trusted.gpg.d and all keyrings found there are passed to gpgv. This directory is used by apt-key and apt itself (see SigVerify::RunGPGV in indexcopy.cc). apt-key(1) says: | /etc/apt/trusted.gpg.d/ | | File fragments for the trusted keys, additional keyrings can be | stored here (by other packages or the administrator). | Configuration Item Dir::Etc::TrustedParts. Instead of calling apt-key in postinst one could place packaged keyrings in such a directory. * Placing packaged keyrings in, e.g., /var/lib/apt/trusted.gpg.d/ might be preferable to using /etc/; on the other side, above-mentioned description sounds like /etc/ is intended to be used for this. * apt-key uses /var/lib/apt/keyrings/ to read master keys in its net-update subcommand. * Ubuntu's upgrade path also could be ensured to be clean, maybe one could ask their stable release managers to add proper dependencies to their stable releases. This is unrelated, but filing a bug for something that is probably by intention (to make apt's ability to be able to verify signatures less fragile) did not sound useful. debian-archive-keyring does not remove the key in its prerm, unlike debian-backports-keyring: | case "$1" in | remove|purge) | if [ -x /usr/bin/apt-key ]; then | /usr/bin/apt-key del 12345678 | fi | ;; | esac Regards Carsten -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
