On 2017-08-15 15:37, Daniel Kahn Gillmor wrote:
I'm not even sure i understand why debian-archive-keyring Depends: gpgv
-- the package's goal is to provide the archive keyring to enable
OpenPGP validation, but the package itself doesn't appear to require
gpgv in any way. Presumably the packages that need to *do* OpenPGP
validation will Depend: gpgv (or whatever other OpenPGP validator tool
they prefer to use).
I recommend moving gpgv to Suggests: and and removing gnupg from the
set
The dependency was added as part of the changes in d-a-k 2012.1:
[ David Kalnischkies ]
* Ship each active key in a separate keyring in
/etc/apt/trusted.gpg.d/
as conffiles for simpler usage of apt-secure(8).
* Remove all active keys from /etc/apt/trusted.gpg as they are
shipped
now as fragment files.
* Depend on gpgv and only recommend gnupg. (Closes: #387688)
I've not looked at what happens with the current package if gpgv is not
available.
Regards,
Adam
