Daniel Kahn Gillmor <d...@fifthhorseman.net> (2025-04-11): > Control: forwarded 1102621 https://dev.gnupg.org/T7603 > Control: tags 1102621 + patch > > On Fri 2025-04-11 19:27:12 +0200, Andreas Metzler wrote: > > npth was added in > > ce9906b008c94c2aa4ac770a981d1e1e0b8aea47 > > gpg: First rough implementation of keyboxd access for key lookup. > > > > and libassuan in aba82684fe14289cf62b4694bc398f3a274b4762 > > gpg: New option --use-keyboxd. > > Thanks for the sleuthing here, Andreas. It's definitely useful to > know where these additional dependencies were added. But i don't think > gpgv has any business talking to keyboxd, at least according to its > documentation. > > And, in the places where we use gpgv, it would probably be a disaster > if it *did* talk to keyboxd.
Alright. It wasn't clear to me how gpgv and keyboxd fit in that picture, thanks for sorting that out! > It looks like libassuan is present only due to g10/call-keyboxd.c. > I've reported that upstream as https://dev.gnupg.org/T7603, and the > patch attached here stubs out those calls for gpgv. > > I'm now looking into whether the npth dependency is really needed. it > seems like the only invocations of npth in gpgv are: > > - npth_read > - npth_sleep > - npth_usleep > > afaict, those are merely collaborative asynchronous wrappers around the > standard POSIX calls, which again seem unnecessary for gpgv. > > They appear to have been pulled in from common/sysutils.c when built > with pth, which suggests that we just need to link gpgv against a > non-pth libcommon. I'll test further and report back. Thanks to both of you for the kick turnaround! It looks like gpgv-udeb 2.4.7-14 has satisfiable dependencies *and* manages to validate mirrors from within d-i. Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature