Installing GnuPG 2.1.4 in Debian Experimental

Rex Kneisley freebooter2015 at gmail.com
Sat Jun 13 05:37:30 CEST 2015 

> 
> 
> On Wed 2015-06-10 20:59:17 -0400, Rex Kneisley wrote:
>> gnupg-agent : Depends: libassuan0 (>= 2.2.0)
>>>>                        but 2.1.2-2 is to be installed
>> Call me crazy but I looked at the error message a bit more closely and
>> noticed that libassuan0 needed to be greater than 2.2.0 go I "googled
>> it" and stumbled on the Debian package for stretch
>> https://packages.debian.org/stretch/libassuan0
> 
> Yes, if you were running debian testing (currently "stretch"), then
> things would Just Work for you to add gnupg2 from experimental.
> 
> You indicated you were running stable (currently "jessie"), so i was
> trying to address a way to resolve the dependencies there (using
> "jessie-backports").  My goal was to provide you with a path that you
> could maintain within jessie -- once you start mixing packages from
> stretch, it becomes harder to maintain the difference.
> 
>> After I downloaded it, I installed the package with
>> "./configure;make;make install"
> 
> This is *not* the normal way to install debian packages.

It is my understanding that the best way to install Debian packages is indirectly using apt-get install. However, when I tried that with:
"apt-get install libassuan0” It kept telling me “package is up to date” and my attempt to install GnuPG from experimental continued to fail.

> What did you
> download?  how did you verify the download cryptographically?



Although I downloaded and verified all of the original packages from the GnuPG website:
https://gnupg.org/download/index.html <https://gnupg.org/download/index.html>

in my haste, I dowloaded the libassuan0 (2.2.1-1) package directly from
the Debian Package website:
https://packages.debian.org/stretch/libassuan0 <https://packages.debian.org/stretch/libassuan0>

I blatantly disregarded their warning:
“if you are running Debian, it is strongly suggested to use a package manager like aptitude <https://packages.debian.org/jessie/aptitude> or synaptic <https://packages.debian.org/jessie/synaptic> to download and install packages, instead of doing so manually via this website."

I addition to that, although the site is “https” and looks “official” enough,
there are no hashes or signatures provided.

>> In particular, gpg-agent, dirmngr, and scdaemon all use
>> assuan_sock_set_sockaddr_un() if available, which was only introduced in
>> assuan 2.2.0, which is only available since assuan 2.1.4; jessie only
>> has 2.1.2.

So essentially I solved my problem in the short term by installing assuan 2.2.1-1

At this point my concern is:
1) I have dowloaded and installed software that I was unable to verify.
2) I have taken a shortcut with my Debian release(stable) that might cause issues if I run an update.

> Yes, if you were running debian testing (currently "stretch"), then
> things would Just Work for you to add gnupg2 from experimental.

Moving to “stretch” seems the most strait-forward
way of achieving my goal of running GnuPG version 2.1.x. But doen't that also automatically download and install “testing” versions of other packages that I am not interested in?

Will running "apt-get install update && apt-get install dist-upgrade”
on my system, in it’s current state, overwrite libassuan0 with an earlier version?

Is it too late to try to move to “stretch”?

Thank you for all of your help in this matter. I know we are drifting in to territory that would be more appropriate in a delian-users mailing list.

Rex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150612/517cffdb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150612/517cffdb/attachment-0001.sig>

More information about the Gnupg-users mailing list