On Mon, Jun 05, 2006 at 06:08:35PM +0200, Adeodato Sim?? wrote: > * Rafael Garcia-Suarez [Mon, 05 Jun 2006 14:02:59 +0200]: > > > Well, but so, why apt didn't upgrade itself, pulling it that new > > dependency as a side-effect? Some other hateful behaviour? > > Because you're supposed to install recommended packages unless you explicitly > know you don't want them. apt recommends debian-archive-keyring, and > it's not a hard dependency to avoid the major hate that would be shoving > gnupg down the throat of every Debian user on earth.
This isn't really true. Recommended packages are recommended. You're not "supposed" to install them, it's your choice. Recommended points out that to get pieces of functionality you probably should consider those packages. Sometimes the pieces of functionality are things you'll never ever use. debian-archive-keyring is a near-necessity for debian developers. It is the package which includes the gpg/pgp keys of every debian developer. That's a _lot_ of keys. Every debian developer really should have this. No debian user really has any reason to have this. This "solution" is to make all debian users of "testing" and "unstable" pretend that they are developers, more or less, which is par for the course for those branches, because Debian likes to maintain an (increasingly wrong) myth that all users use 'stable'. When I brought this up on #debian, the recommended user procudure became "type in this command sequence", where the command consisted of pulling the key from an arbitrary internet source (unverifiable) into root's personal gpg keyring (where it doesn't belong), and then exporting it from there into the appropriate apt configfile. The hateful thing was of course that I _had_ the gpg key from the past year still installed, but it instantaneously broke on Jan 1. The theory was the package list would still be signed with the old key as well as a new key, allowing a transition. A bug in apt prevented it from being able to handle any key but the first one used to sign. So I could just upgrade apt to fix the problem, only not without breaking the trust model and using `apt --override --do-it-you-punk' Or I could break the trust model and force an install of the new key. Or I could break the... Never once was a solution offered by any part (#debian, the package owner, the bts) which provided a path which did not violate the trust model, leaving you with a cryptographic package transfer system with basically no intact trust. Forever. In any event, the current situation is that apt will spit out confusing (one might say misleading) errors that do much more harm than good if you do not have gpg and the appropriate key. Either these errors should be made so as to not be so amazingly unhelpful, or the gpg and key system should be pulled in automatically. I don't say either is a necessary path, but the choice of one or the other is. Hate. -josh