Will gpg 1.x remain supported for the foreseeable future?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jan 18 02:20:30 CET 2018

On Wed 2018-01-17 15:09:45 -0800, Dan Kegel wrote:
> Yes to all four questions.  Here's the user story.

cool, your user story all makes sense to me except this bit:

> - The package depends on debian-archive-keyring (to leverage
> the web of trust as suggested in 'man secure-apt')

(itym 'man apt-secure', right?)

if you're expecting ubuntu (or any other non-debian) users to install
this, then you're actually increasing their attack surface, because this
package will place debian archive keys as "trusted" keys automatically
(meaning "any archive that is signed by them is considered legitimate),
when they weren't present on the system before.

I don't see the part of apt-secure(8) that says anything about needing
this, and i don't see how it "leverages the web of trust" -- can you
explain this more?  Without a clear justification, i think you should
remove this dependency.

> I also have to support a range of versions of gpg, can't insist
> on the latest.  Happily, in preparation for supporting Ubuntu 17.10,
> I verified that I can drop support for versions of gpg and apt
> older than the ones in Ubuntu 16.04.

what i'm not hearing is an explicit example of how you are using gpg --
as the archive maintainer, surely you manage the archive itself on a
system of your choice.  for me, that would be a debian stable system,
with reprepro or something like that, which should already know how to
call out to gpg.

as the developer of the foobar-archive package, you shouldn't need to
invoke gpg at all in your package build scripts other than just --import
and --export, which should be pretty standard across all versions of

your end users don't actually need full-blown gpg at all -- modern
versions of apt depend explicitly (and minimally) on gpgv, since all
they do is verify signatures based on a set of acceptable keys.

> While my foobar-archive.deb may seem superficially similar to
> debian-archive-keyring.deb, the latter does things
> in its postinstall step that establish trust at the system
> level in a way that doesn't seem like a good example for
> third party apt repositories to use as an example.

yep, agreed.  (which is why i'm surprised to see your dependency on
debian-archive-keyring) You may also be interested in
https://bugs.debian.org/861695, fwiw.

All the best,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180117/9b287807/attachment.sig>

More information about the Gnupg-users mailing list