Jonathan McDowell <nood...@earth.li> writes: > On Mon, Jan 13, 2025 at 11:08:11AM +0100, Simon Josefsson wrote: >> Daniel Kahn Gillmor <d...@debian.org> writes: >> > I welcome review and critique of the packaging for this tricky package, >> > which is pretty deeply embedded in Debian (though getting less so, as >> > apt no longer requires it and we have many other OpenPGP implementations >> > available today). I'd be even more delighted with offers of active >> > co-maintenance beyond the work that Andreas and i have been doing. >> >> I've offered help, but my impression has been that it not giving up on >> the schism thing has been more important than getting Debian to ship >> upstream code to users and let people decide what they want to use. >> >> Sometimes it is better to let other make decisions rather than to make >> decisions for others. > > I agree, but in this instance given the reliance we have upon GnuPG > throughout the Debian ecosystem I believe it's important we ensure that > the default configuration of what we ship is compatible with OpenPGP. > Power users can feel free to play with OpenPGP v6 / LibrePGP > enhancements, but for the vast majority of folk sticking to RFC > compliant v4 is going to make the most sense.
I understand this concern, but I believe there is a strong bias for Debian developers to care about our own use-cases a lot which may not be particulary relevant outside the scope of Debian-internal development. I believe it would be perfectly fine to ship verbatim upstream unpatched GnuPG 2.4 and work out any Debian-specific quirks and requirements we have and put quirks into tools that are external to GnuPG itself. If there are requirements on how to use GnuPG for interacting with Debian, please just document them rather than patching GnuPG to behave the way you want. This is even more true considering that the people who are patching GnuPG seems to be the same people who are working on replacing GnuPG with Seqoia. /Simon
signature.asc
Description: PGP signature
