On Wed 2024-12-25 16:20:24 +0200, Martin-Éric Racine wrote: > ke 25.12.2024 klo 16.00 Holger Levsen (hol...@layer-acht.org) kirjoitti: >> >> On Wed, Dec 25, 2024 at 03:15:04PM +0200, Martin-Éric Racine wrote: >> > We still have this: >> > Depends: gnupg | gnupg2, sopv | gpgv >> > i.e. how do the dependencies reflect the transition from these tools to >> > sq,sqv? >> >> thanks, that's indeed something to address. (however we want to transition >> to sop/sopv, not sq/sqv.) > > Fair enough. Just as long as GPG dependencies remains consistent > between apt, dpkg and devtools.
Martin-Éric, i think you mean "PGP dependencies", not "GPG
dependencies", right?
The main issue going forward is that we want interoperable OpenPGP data
formats to be produced and consumed by the various tools.
apt has a very specific set of OpenPGP needs -- primarily signature
verification, and various forms of OpenPGP signature and certificate
debugging/linting to be able to provide warnings to users about upcoming
cryptographic policy tightening before they happen.
In addition to these needs, devscripts is actually *creating*
signatures, and potentially doing other forms of OpenPGP data
manipulation, etc.
> FWIW, the only reason I found out about 'sq' in the first place is a
> uscan warning that suggests concatenating ASCII Armor blocks in
> signing-key.asc using 'sq'. Conversely, recent APT uploads show that
> it has migrated to 'sqv'. Both of these really point to a migration to
> sq/sqv, not sop/sopv.
sq (and its verification-only sibling, sqv) is a particular OpenPGP
implementation, the Sequoia project.
sop (and its verification-only subset, sopv) is a generic standard of
which we have several distinct implementations in debian today
(including sqop/sqopv from the Sequoia project).
Attaching devscripts (a Debian Developer-focused package) to sq and sqv
rather than the more generic standard seems to constrain developer tool
choice more significantly than we need to, and binds the Debian
ecosystem more tightly to a specific OpenPGP implementation. While
there are some narrow advantages to debian to requiring all Debian
developers to use a single OpenPGP implementation, i think there are
more advantages to the ecosystem generally to supporting the use of
several interoperable implementations, as Debian developers are more
likely to be able to help ensure that the various implementations
converge as needed.
anyway, that's my 2¢ on it!
--dkg
signature.asc
Description: PGP signature
