[Pkg-gnupg-maint] packaging dirmngr from 2.1.0

Werner Koch wk at gnupg.org
Mon Oct 13 20:24:35 CEST 2014

On Tue,  7 Oct 2014 08:52, dkg at fifthhorseman.net said:

>> Seems like it would be obviously bad to use anything other than the
>> system certs?
> It would be good to know from upstream whether there is any expectation
> of built-in certs, specific formats desired/needed, etc.

The cert for the keyserver pool would be a good idea, but it is probably
better to install it separately.  As of now there is no default and

     --hkp-cacert FILE   use the CA certificates in FILE for HKP over TLS

must be used.  I consider PKIX broken, thus I won't make any suggestion
what to install.

> So the only package outside of gnupg2 that we need to think about is
> kleopatra.  I don't think that kleopatra depends on the system service
> -- looking at the kdepim source code, it appears to try to invoke
> dirmngr on its own, directly, rather than looking for a system socket.

IIRC, Kleopatra has a feature to trigger a CRL download so that you can
use S/MIME offline for some time.  Dirmngr has these options

     --list-crls                  list the contents of the CRL cache
     --load-crl FILE              load CRL from FILE into cache
     --fetch-crl URL              fetch a CRL from URL

which may be used by Kleo.  But it is not really important and I do not
known whether it is still used.  In any case it Kleo can be changed to
run dirmngr-client or gpg-connect-agent.  Running dirmngr directly is
pretty old fashioned. 

@andre: Can you remember any details?

> the idea behind socket activation is that the service doesn't need to be
> started until someone actually queries it.

The Hurd folks call this feature a translator ;-)

> Those config files are now moved to /etc/gnupg2/ instead of
> /etc/dirmngr/, but by default i don't know that they need to be present
> at all.  However, if they aren't present, the dirmngr system service
> does complain about the lack of /etc/gnupg2/ldapservers.conf

Turn this into a warning or silent it?  If you don't use LDAP it is not
required.  The old dirmngr's main task was to query LDAP servers, thus this
warning.  With the new support for PGP keyservers, I consider LDAP an
optional feature.

> For simplicity, i'm considering setting up the experimental dirmngr
> package to not have the system service at all, since it makes the
> packaging simpler and clearer.




Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list