Re: apt-get and some crypto thing

[prev] [thread] [next] [lurker] [Date index for 2006/06/05]

From: Adeodato =?utf-8?B?U2ltw7M=?=
Subject: Re: apt-get and some crypto thing
Date: 21:35 on 05 Jun 2006
* jrodman@xxxx.xxxxxxxxxx.xxx [Mon, 05 Jun 2006 13:24:10 -0700]:

> This isn't really true.

Shrug.

> debian-archive-keyring is a near-necessity for debian developers.  It is
> the package which includes the gpg/pgp keys of every debian developer.
> That's a _lot_ of keys.  Every debian developer really should have this.
> No debian user really has any reason to have this.  

False. You are talking about the debian-keyring package:

  11M  debian-keyring_2005.05.28_all.deb
  6.0K debian-archive-keyring_2006.01.18_all.deb

debian-archive-keyring only contains the keys that are used to sign the
archive, which are one for each year.

And, TTBOMK, if apt does not Depend: of debian-archive-keyring, it's
clearly not because size concerns about the keyring, but because d-a-k
pulls gnupg, which pulls a fair amount of dependencies. IMO the solution
to this is to create a package that only ships a stripped version of
/usr/bin/gpgv, make d-a-k depend on that package instead of gnupg, and
then make apt depend on d-a-k, and so half a year ago I requested [1]
the creation of such package, because I wanted for this suboptimal
situation to be fixed.

  [1] http://bugs.debian.org/340350

But it's something I can't fix myself, so if you want to express your
support for this idea, you can mail 340350@xxxx.xxxxxx.xxx.

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
                        Listening to: Rosa León - El barquito chiquitito

There's stuff above here

Generated at 22:01 on 05 Jun 2006 by mariachi 0.52