#1016843 apt: should probably use "sop" for OpenPGP

Package:
apt
Source:
apt
Description:
commandline package manager
Submitter:
Lars Wirzenius
Date:
2022-08-08 13:36:03 UTC
Severity:
wishlist
Tags:
#1016843#5
Date:
2022-08-08 10:54:16 UTC
From:
To:
Currently apt is using gpgv to verify Release.gpg files. It would
probably be a good idea to use an implemenation of the SOP interface
instead. SOP is short for "stateless OpenPGP", and it's a
specification by Daniel Kahn Gillmor (dkg). See

https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/

There are many implementations of that, including one for GnuPG.
Having a consistent interface makes it easier to switch to a different
implementation. The OpenPGP Interoperabiolity Test Suite
(https://tests.sequoia-pgp.org/) uses this.

If APT used SOP, it could even allow a sysadmin to choose what
implementation they want. This would free apt from being locked into
GnuPG without abandoning OpenPGP entirely.

The SOP interface is pretty good for programmatic use.
#1016843#10
Date:
2022-08-08 13:33:21 UTC
From:
To:
Control: tag -1 moreinfo

It's a draft and to my knowledge there are no suitable implementations
yet?

APT must Depend on the default backend and we must make sure that
this dependency is not satisfiable by other packages. Any non-default
backend must be explicit configuration via config files, otherwise
the risk of breaking updates due to implementation-specific bugs is
just too great.

I want to phase out OpenPGP and do not see the point in undertaking
this work. This will likely introduce several CVEs, and still involves
spawning subprocesses and parsing their output which is the thing
that we want to get rid of in the first place.