#873499 Should depend on "gnupg | gnupg2 | gpg"

#873499#5
Date:
2017-08-28 12:36:20 UTC
From:
To:
The gnupg2 package in unstable has been renamed again and split into several
components.

The "gnupg" package is now the full suite, while "gpg" contains the binary
itself. To avoid extra dependencies, it would be nice to update the dependency
to "gnupg | gnupg2 | gpg".

#873499#10
Date:
2017-08-29 05:05:06 UTC
From:
To:
I'm not convinced that this is a good idea.  gpg's package description
says:

 This package contains /usr/bin/gpg itself, and is useful on its own
 only for public key operations (encryption, signature verification,
 listing OpenPGP certificates, etc).  If you want full capabilities
 (including secret key operations, network access, etc), please
 install the "gnupg" package, which pulls in the full suite of tools.

pass requires secret key operations, not just public key operations.

Thanks,

#873499#15
Date:
2017-08-29 09:04:01 UTC
From:
To:
I've been using pass with gpg only already since gpg 2.1.23 became
available using an equivs package to fulfill the dependency. Can you
make an example of a "secret key operation"? I think gpg's description
is misleading.

gpg can definitely generate and manipulate secret keys by itself for
example.

The only difference is that you need to depend on dirmngr/gpgsm or the
tools package explicitly.

#873499#20
Date:
2017-09-10 16:56:38 UTC
From:
To:
I see that Yuri has filed another bug report in this regard (#873498).
Somehow I think the maintainer of gnupg should be involved here before
more such bugs are filed.

So bringing Daniel into the loop here.
I'd be interested to hear if changing the dependencies this way is what
he recommends and if so, if he plans to do a proper MBF for that.

Regards,
Michael

#873499#25
Date:
2017-09-11 02:16:53 UTC
From:
To:
an example of a secret key operation in pass is: decrypting an encrypted
password file.  if that is important to you, then you need at least
gpg-agent installed.

I'm sorry to hear that.  Can you suggest alternate wording that might be
more suitable?
You need gpg-agent.  here's a debian installation without gpg-agent,
trying to generate a key:

0 dkg@sid:~$ gpg --gen-key
gpg (GnuPG) 2.2.0; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/dkg/.gnupg' created
gpg: keybox '/home/dkg/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: monkeypants
Email address: monkey@pants.example.org
You selected this USER-ID:
    "monkeypants <monkey@pants.example.org>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: agent_genkey failed: No agent running
Key generation failed: No agent running
2 dkg@sid:~$

The simplest thing is just to depend on the gnupg suite, and that is
totally reasonable for the "pass" package if the maintainer prefers it.
(it's also easier for rapid backporting) If the package maintainer wants
something fancier and more narrowly targeted, they could do something
like:

  Depends: gpg-agent, gpg
  Recommends: gnupg

since i don't believe that pass has any need for network access
(dirmngr) or X.509 or CMS (gpgsm).  But i don't know pass super well so
i can't guarantee that this is correct.

however, i've also considered just bundling *all* of the GnuPG suite
into a single "gnupg" package, and breaking out only "gpgv" from the lot
-- that would mean fewer packages installed overall (and therefore
probably fewer complaints from users who like "tight dependencies",
despite the fact that it would mean all the same binaries are actually
installed as the current variant where the binaries are all split into
separate packages).  I know that GnuPG upstream generally prefers to
have all the binaries installed together, so maybe that would be a
better approach if other debian packagers are annoyed by the package
split.

I certainly don't want most users to have to think about which specific
packages they need to install.

let me know what you think we should do!

#873499#30
Date:
2017-09-11 12:28:29 UTC
From:
To:
Since I always had to use the agent, I never noticed. Sorry about that.

I'd rather go for this route, and recommend gpg-agent from gpg,
mentioning that secret key operations require at least the agent to be
running in the description.

pass doesn't fetch external keys.

I'm actually happy that newer versions of gpg do not require dirmngr to
be running anymore. When using gpg non-interactively, having services
start-up unexpectedly (especially under systemd activation) is not
something I'm pleased with. I remember I filed a bug report about the
agent/dirmngr activation. I use gpg for batch unattended operations, but
it looks like gpg is becoming more and more a tool for strictly
interactive usage.

#873499#35
Date:
2017-09-11 13:30:59 UTC
From:
To:
gpg already Recommends: gnupg, which itself Depends: gpg-agent.

Please propose alternate text for the package Description.  gpg currently
says:

 This package contains /usr/bin/gpg itself, and is useful on its own
 only for public key operations (encryption, signature verification,
 listing OpenPGP certificates, etc).  If you want full capabilities
 (including secret key operations, network access, etc), please
 install the "gnupg" package, which pulls in the full suite of tools.


gpg-agent's Description says:

 This package contains the agent program gpg-agent which handles all
 secret key material for OpenPGP and S/MIME use.  The agent also
 provides a passphrase cache, which is used by pre-2.1 versions of
 GnuPG for OpenPGP operations.  Without this package, trying to do
 secret-key operations with any part of the modern GnuPG suite will
 fail.

No version of gpg has ever required dirmngr to be running just to use
gpg.

However, dirmngr is used for network access.  This means that if you ask
gpg to do something that requires network access, you will need dirmngr
running.  modern gpg itself never talks to the network.

Your previous sentence suggests that you don't want to always having a
daemon running.  in this sentence, you suggest that you don't like the
systems that help you to avoid always having a daemon running.  These
two complaints seem incompatible, unless all you're saying is that you
simply don't like the idea of separated processes with different
requirements/capabilities at all.

However, there are good arguments for having long-running processes (for
dirmngr, e.g. cached DNS lookups, shared state about known-bad mirrors,
isolation of network access away from sensitive data handling code,
etc).

i'd like to help you resolve the grievances you raise, but they seem
mutually contradictory to me, and in many cases against the improved
engineering practices.  Can you be more specific (probably in a separate
bug report)?

gpg has always been more about interactive usage than automated usage.
I agree that it has been a frustrating tool to use for unattended
operations in the past, and that kind of automated workflow seems to
have always been a bit of an afterthought to the upstream project.

However, i think that's actually getting better these days, not worse --
they take bug reports about non-interactive failures more seriously and
fix them more promptly than they used to.

Can you tell me (probably in a separate report) what unattended
operation problem you're particularly having, so we can try to get it
resolved?  surely the fact that unattended operation might involve
multiple processes instead of a single process isn't the problem in
itself.

Regards,

#873499#40
Date:
2017-09-11 14:56:39 UTC
From:
To:
I'd recommend gpg-agent, and suggest gnupg instead.

This package contains /usr/bin/gpg itself, and is useful on its own only
for public key operations (encryption, signature verification, listing
OpenPGP certificates, etc). For operations involving secret keys and
passphrases, gpg-agent is also required. If you want full capabilities
(network access, X.509 and CMS and all other command line utilities),
please install the "gnupg" package, which pulls in the full suite of
tools.

I don't oppose the idea of a separated process with different
capabilities. This is fine for using gpg as a daemon for interactive
usage. I'm using gpg-agent with pinentry for ssh keys as well, so I'm
not complaining about this. I overall like how these work together.

But on the other side, when all you want to do is use gpg in a batch
script and it fed stuff which is already on disk, these separate
processes do hardly anything useful.

Let's continue this into a separated report then.

Let me know what you think about the revised description and suggested
dependencies.

#873499#45
Date:
2017-09-11 15:31:03 UTC
From:
To:
[ moving (and setting m-f-t) to pkg-gnupg-maint, which is a more
  appropriate forum for this discussion.  for folks just joining us for
  the backlog, please see https://bugs.debian.org/873499 ]

why?  upstream recommends shipping all the binaries in a single package
as the standard deployment.  I'm trying to meet them halfway here.

The definition of Recommends is:

    This declares a strong, but not absolute, dependency.

    The Recommends field should list packages that would be found together with this one in all but unusual installations.

https://www.debian.org/doc/debian-policy/index.html#binary-dependencies-depends-recommends-suggests-enhances-pre-depends


Upstream's preference is to have all the binaries installed, and gpg
itself is never even tested upstream without having all the other
binaries available.

I'm willing to keep the split in debian to support narrowly-scoped, tiny
systems administered by technically-competent people.  But we've got
enough issues to focus on without encouraging full-blown desktop systems
that have gpg fail because of missing dependenencies, which is what i
think would happen if we moved the rest of the suite out of Recommends.
Do you think that wouldn't happen?
Description: should call out secret key use separately from, say,
network access, or other modules of the suite?

gpg is not a daemon, it's a one-shot process, which knows how to talk to
various system daemons.

they most certainly do -- for just one example, in a batch script where
gpg is invoked a number of times, the long-running dirmngr process can
cache knowledge about the network between invocations of gpg.

#873499#50
Date:
2017-09-11 18:03:22 UTC
From:
To:
<...>

There's one intricate example which I think would be useful for
discussion: what should libgpgme11 do? It currently depends on gnupg,
which installs the full suite. But that's a result of the old package
structure.

I would (personally) make libgpgpme11 depend on gpg only, and move the
burden of the final call to the actual tool facing the user. For
example, notmuch, which uses libgmime which in turn uses libgpgme11 does
that correctly by recommending the agent and gpgsm.

But I do see your point. It's an added burden on the maintainer.

My reasoning is that gpg is supposed to do encryption/decryption and
signing, and if you can't decrypt or sign because you don't have the
agent you're probably wondering what can you actually do with it.

I still see certificate management and network support as extra.

I guess this could happen.

This probably stems for my own usage of gpg itself, which doesn't
involve any network usage on the gpg part.

#873499#55
Date:
2018-10-25 14:28:34 UTC
From:
To:
Control: affects 873499 src:gnupg2

Following up on this again, since the GnuPG packaging split seems to be
stable at this point.

afaict, pass needs only secret key operations, and not network access.

If that's the case, I would recommend that pass switch to:

    Depends: gpg, gpg-agent

If someone needs to use their smartcard, they will install scdaemon
themselves.  If pass wants to Recommends: scdaemon, that's also fine.

And please, drop all reference to the gnupg2 package, and avoid all
references internally to /usr/bin/gpg2, preferring just to find "gpg" on
the path.  i'd like to eventually get rid of that dummy/symlink package.

#873499#62
Date:
2025-05-27 11:19:04 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
password-store, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated password-store package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 27 May 2025 11:57:30 +0100
Source: password-store
Architecture: source
Version: 1.7.4-8
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 873499
Changes:
 password-store (1.7.4-8) unstable; urgency=medium
 .
   [ Paride Legovini ]
   * d/control: Replace dependency on gnupg with gpg, gpg-agent (closes:
     #873499).
Checksums-Sha1:
 66501afd62a964f4581695a2dcb1957f43ee144e 2186 password-store_1.7.4-8.dsc
 9957d8dcd7259396e8b6b78a92a8800ea402fccf 8280 password-store_1.7.4-8.debian.tar.xz
Checksums-Sha256:
 1f93c658099ac732ba43e11f9833db0644d3df0f3554f1d8bd229e5e7219d4ae 2186 password-store_1.7.4-8.dsc
 317ad8794801216db980da8ef8c3aca8d79969058956abbd9b0af781a64b7d7e 8280 password-store_1.7.4-8.debian.tar.xz
Files:
 fa4365195ea60e2b9c0d203b172be534 2186 admin optional password-store_1.7.4-8.dsc
 701546b6bd2e211ac280cefdb3e588c9 8280 admin optional password-store_1.7.4-8.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmg1mrMACgkQOTWH2X2G
UAscDg/+LvT3uraAQHqVCsP/LlXBcRW8g3pBmzrfMYwHiZxrZ2YLzDkIU6gTFKJq
ttu4XkUArCkHn/k+yYPDsb70p668N+EJHMnC/IeRvp4C/f+u8FP4RvLeyScOJw5t
hSe2Jr1pqNsbbyvqNju7QywF1B01cuI8Yi/KJKBKYvpaHMPTqc9K4edd+3WmLh56
hZ07ONBHGf/xoYxGbDP8YL/MXy30A1g9Fz/3q0CYRg/QjY7vedNA1U8gG2tZpLoi
f6zEOOYGwkkTISieoxkOpnbC8gC8UWirqGyDeN8Ps0l5KNH1OBQEj4lc6PkzR28J
geFXGRq6gRvrHUlmGiY3aaDDANOWSb0BMc4RMSyBCF3+vW2VG+sb8sshYRsIk1YS
nhAfnSVjt23W8Fb9r0wsK4/jN2AZ8B2gXk5rDFyV4N6u1bOMvbpcdjEX+Wa2i3pI
7ppiaETf1ojOS2UTVX8O+LXdSC0IQwRNxVMUsUUFk9/xtCEYoUmMoGLpX5npKKcE
9ol/3uEvJcYXmkW0lJcXY8a+/rEdofuSCmNXKlRgyjOEGLYx5AvoO1BDdkfz43VN
4h+qFHVPxtJQTj2jorHeQbv8A9ktCPe/UYhfVKqyBLSUrIggHTpaqiM5aSOc4CxV
bjjZgZqtbDJNiWlbOnr58rfZp7KxX/820X6owpOHIExDTvYaWpw=
=lo2q
-----END PGP SIGNATURE-----