On Tue 2016-08-30 08:49:20 -0400, Julian Andres Klode wrote: >> apt/auth.py appears to want to force gnupg to store its secret key >> material in secring.gpg. This isn't a best practice, and modern >> versions of gpg do not do so by default. I'd recommend dropping >> tmp_secret_keyring entirely. > > Hmm, there should not even be any secret key material, as apt only > deals with public keys.
agreed, all the more reason to strip out those extra directives ;) >> I'll be releasing a new version of gnupg shortly that will explicitly >> declare that it Breaks: python-apt (<= 1.1.0~beta4). > > I think that's a bit overkill. While this part of python-apt is broken > with the new gnupg, the rest works fine; and nobody uses the apt.auth > module. Not to mention that I'm deprecating it, as we deprecated the gpg > stuff in apt-key. If you want me to remove the Breaks: i can do so -- my goal was to address the concerns raised in https://bugs.debian.org/835349. If you'd rather that i not provide a Breaks: or a Conflicts: for python-apt, i can avoid it -- speak up though, i'm hoping to release the next version of gnupg2 to unstable shortly :) >> Ideally, the next version of python-apt can have these bugs fixed and it >> will work cleanly with the modern version of gnupg. > > Sure. But we should really support both old and new gpg versions, otherwise > it gets a bit annoying. > > Maybe there's also an option to display fingerprints instead of keyids > in --with-colons --list-keys? sure! gpg --fixed-list-mode --with-fingerprint --with-fingerprint --with-colons --list-keys will produce lines of the form: fpr:::::::::0EE5BE979282D80B9F7540F1CCD2ED94D21739E9: The hex string shows up in $10 for "awk -F:", fields[9] in python after fields = line.split(":"). providingn --with-fingerprint twice ensures that you get fingerprints for both primary keys and subkeys -- if that's what you want. >> However, if your next upload of python-apt can't be built or run against >> modern versions of GnuPG > > That would be silly :) i'm glad it will be straightforward to sort it out ;) Thanks for your work on this, --dkg
signature.asc
Description: PGP signature
