On Tue 2017-08-15 17:07:21 +0100, Adam D. Barratt wrote:
> The dependency was added as part of the changes in d-a-k 2012.1:
>
> [ David Kalnischkies ]
> * Ship each active key in a separate keyring in
> /etc/apt/trusted.gpg.d/
> as conffiles for simpler usage of apt-secure(8).
> * Remove all active keys from /etc/apt/trusted.gpg as they are
> shipped
> now as fragment files.
> * Depend on gpgv and only recommend gnupg. (Closes: #387688)
>
> I've not looked at what happens with the current package if gpgv is not
> available.
"the current package" means debian-archive-keyring, right? So that's:
Description-en: GnuPG archive keys of the Debian archive
The Debian project digitally signs its Release files. This package
contains the archive keys used for that.
The only maintscript which even mentions gpg or gpgv is postinst, which
has something for upgrades from 2012.1 (older than oldoldstable).
And nothing else is shipped in debian-archive-keyring that would
actually depend directly on gpgv. I don't think it belongs as a
dependency here. We don't want to say "you must verify OpenPGP
signatures made by these keys with GnuPG's gpgv", do we? If some other
tool needs gpgv specifically, *it* should be the thing that states a
dependency on gpgv.
--dkg
