On Thu, Mar 27, 2025 at 11:05:11PM +0200, Peter Pentchev wrote: > On Thu, Mar 27, 2025 at 07:45:12PM +0100, Bill Allombert wrote: > > Dear Debian developpers, > > > > popularity-contest relies on /usr/bin/gpg for encrypting files. > > (it cannot use gpgv which does not provide encryption). > > > > By design popularity-contest needs to have as few non-essential > > dependencies as possible because this skews the result. > > > > It used to be the case that apt depended on gpg, but not anymore. > > Is it still the best option ? > > I am among the people who have moved towards the Sequoia family of > cryptographic tools; in particular, sqop (a Sequoia implementation of > the SOP command-line interface) seems to work: > > [roam@straylight ~]$ echo canttouchthis | sqop encrypt > /usr/share/popularity-contest/debian-popcon.gpg | pgpdump > New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) > New version(3) > Key ID - 0x4E9024B327CBD937 > Pub alg - RSA Encrypt or Sign(pub 1) > RSA m^e mod n(4095 bits) - ... > -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block > type 02 > New: Symmetrically Encrypted and MDC Packet(tag 18)(63 bytes) > Ver 1 > Encrypted data [sym alg is specified in pub-key encrypted session > key] > (plain text + MDC SHA1(20 bytes)) > [roam@straylight ~]$ > > Hope that helps!
Sent too fast. What I really intended to suggest was to support any SOP implementation (the command-line interface is the same, that's the point) and possibly prefer one as default. See e.g. dpkg-buildpackage for an example (and a great big thanks, Guillem! the SOP support there made unattended automated signing much easier!). G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org pe...@morpheusly.com PGP key: https://www.ringlet.net/roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
