1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1091333: devscripts: implement support for sqv as gpgv alternative

    From Daniel Kahn Gillmor@21:1/5 to All on Fri Jan 3 19:20:01 2025
    On Wed 2024-12-25 16:20:24 +0200, Martin-Éric Racine wrote:
    ke 25.12.2024 klo 16.00 Holger Levsen (holger@layer-acht.org) kirjoitti:

    On Wed, Dec 25, 2024 at 03:15:04PM +0200, Martin-Éric Racine wrote:
    We still have this:
    Depends: gnupg | gnupg2, sopv | gpgv
    i.e. how do the dependencies reflect the transition from these tools to sq,sqv?

    thanks, that's indeed something to address. (however we want to transition >> to sop/sopv, not sq/sqv.)

    Fair enough. Just as long as GPG dependencies remains consistent
    between apt, dpkg and devtools.

    Martin-Éric, i think you mean "PGP dependencies", not "GPG
    dependencies", right?

    The main issue going forward is that we want interoperable OpenPGP data
    formats to be produced and consumed by the various tools.

    apt has a very specific set of OpenPGP needs -- primarily signature verification, and various forms of OpenPGP signature and certificate debugging/linting to be able to provide warnings to users about upcoming cryptographic policy tightening before they happen.

    In addition to these needs, devscripts is actually *creating*
    signatures, and potentially doing other forms of OpenPGP data
    manipulation, etc.

    FWIW, the only reason I found out about 'sq' in the first place is a
    uscan warning that suggests concatenating ASCII Armor blocks in signing-key.asc using 'sq'. Conversely, recent APT uploads show that
    it has migrated to 'sqv'. Both of these really point to a migration to sq/sqv, not sop/sopv.

    sq (and its verification-only sibling, sqv) is a particular OpenPGP implementation, the Sequoia project.

    sop (and its verification-only subset, sopv) is a generic standard of
    which we have several distinct implementations in debian today
    (including sqop/sqopv from the Sequoia project).

    Attaching devscripts (a Debian Developer-focused package) to sq and sqv
    rather than the more generic standard seems to constrain developer tool
    choice more significantly than we need to, and binds the Debian
    ecosystem more tightly to a specific OpenPGP implementation. While
    there are some narrow advantages to debian to requiring all Debian
    developers to use a single OpenPGP implementation, i think there are
    more advantages to the ecosystem generally to supporting the use of
    several interoperable implementations, as Debian developers are more
    likely to be able to help ensure that the various implementations
    converge as needed.

    anyway, that's my 2¢ on it!

    --dkg

    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    wr0EARYKAG8Fgmd4KHAJEHctFh41zUuBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ44i/mgGJKFLi6G4URIA5sthlxmDlzl9NxJN/LHhsIRt FiEEdLwExD2GCEvoZywGdy0WHjXNS4EAAAJ8AQCfATaNiFUxeEhW5Hbuu9sx3LsF +bJOREwMRO4CxQJPeAEAgpY6M6zLdO2QWaiyXToLg1L6BHY8ujDC1KjieiYqbwE=RueV
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Martin=2D=C3=89ric_Racine@21:1/5 to All on Sat Jan 4 10:50:02 2025
    pe 3.1.2025 klo 20.12 Daniel Kahn Gillmor (dkg@debian.org) kirjoitti:
    Attaching devscripts (a Debian Developer-focused package) to sq and sqv rather than the more generic standard seems to constrain developer tool choice more significantly than we need to, and binds the Debian
    ecosystem more tightly to a specific OpenPGP implementation. While
    there are some narrow advantages to debian to requiring all Debian
    developers to use a single OpenPGP implementation, i think there are
    more advantages to the ecosystem generally to supporting the use of
    several interoperable implementations, as Debian developers are more
    likely to be able to help ensure that the various implementations
    converge as needed.

    I really don't have any opinion on which GPG implementation should get selected. My key point is to pick one and apply it across the board
    for dpkg, apt and devscripts. Until recently, it meant gpg/gpgv across
    the board. I also don't mind if software includes support for various implementations. My goal here is to avoid dependencies being all over
    the place. If the consensus if for sop/sopv, I'm fine with it. If it's
    for sq/sqv, I'm fine with it. I simply want to avoid an outcome where
    each of those key packages has a hard Depends on an entirely different
    GPG implementation.

    Martin-Éric

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)