For the use cases I've outlined, gpgv-static definitely does not need LDAP/PAM/NFS/whatever, and would probably be totally fine without all kinds of tilde expansion.
Daniel Kahn Gillmor: > Tilde expansion isn't super important -- it certainly shouldn't be used > in debootstrap. And if the result was a crash i'd really want to find a > workaround here. Out of curiosity, how is HAVE_PWD_H set (or unset) in > the config.h for your static build against bionic libc? The Android toolchain (aka NDK) does not set HAVE_PWD_H, but in my Android builds of gnupg 2.1, it is set: #define HAVE_PWD_H 1 And Android does indeed have that header at, for example: /opt/android-ndk/platforms/android-21/arch-x86/usr/include/pwd.h Daniel Kahn Gillmor: > given that the statically-built binary appears to fail gracefully in the > absence of libnss inside a chroot, though, i'm inclined to not bother > with either of these approaches. I'm fine with trying it as is. Otherwise, just remove NSS/LDAP/etc and tilde expansion entirely and be done with it. Here's my stab at the description: GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 4880. . This is GnuPG's signature verification tool, gpgv, built statically so that it can be directly used on any platform that is running on the Linux kernel. Android and ChromeOS are two well known examples, but there are many other platforms that this will work for, like embedded Linux OSes. This gpgv in combination with debootstrap and Debian keyrings allows the secure creation of chroot installs on these platforms by using the full Debian signature verification that is present in all official Debian mirrors. .hc
