Hi Simon--
Thanks for the extensive and thoughtful reasoning about the longer-term
strategy here.
Regarding the immediate question:
On Sat 2025-06-07 14:52:33 +0100, Simon McVittie wrote:
> OK, in that case:
>
> sqopv | sopv-gpgv | sopv
As i understand it, the point of this recommendation is to have a
predictable sopv choice (sopv-gpgv) for platforms that can't build
sqopv (e.g., due to lack of Rust)
The other nice thing about this approach is that we could drop drop all
code that invokes gpgv directly from devscripts, simplifying both the
codebase and the types of OpenPGP certificates that can be used
(e.g., sopv accepts both armored and unarmored certificates; gpgv only
accepts unarmored certificates)
> or perhaps
>
> sqopv | sopv-gpgv | sopv | gpgv
This one i'm not as convinced by. If gpgv is already installed,
then installing devscripts (on a platform with or without rust) won't
bother installing any of the sopv variants, right?
> What I'm trying to avoid is that when I bootstrap a container with
> Essential + apt,
To be clear, we're talking here about devscripts, which isn't involved
in either Essential or apt, right?
All the best,
--dkg
