news 28 Posted August 4, 2016 Short version (TL;DR) ===================== /usr/bin/gpg will soon be provided by GnuPG's "modern" branch (2.1.x) and the "classic" branch (1.4.x) will be available as /usr/bin/gpg1 The rest of this e-mail provides details for users of GnuPG and package maintainers. For more about the rationale and benefits, see https://debian-administration.org/users/dkg/weblog/116. Details below: What does this mean for users of GnuPG? --------------------------------------- Even if you use GnuPG regularly, you shouldn't notice too much of a difference. One of the main differences is that all access to your secret key will be handled through gpg-agent, which should be automatically launched as needed. This means that operations like signing and decryption will cause gpg-agent to prompt the the user to unlock any locked keys directly, rather than gpg itself prompting the user. If you have an existing keyring, you may also notice a difference based on a change of how your public keys are managed, though again this transition should ideally be smooth enough that you won't notice unless you care to investigate more deeply. If you use GnuPG regularly, you might want to read the NEWS file that ships with GnuPG and related packages for updates that should help you through the transition. If you use GnuPG in a language other than English, please install the `gnupg-l10n` package, which contains the localization/translation files. For versions where those files are split out of the main package, `gnupg` explicitly `Recommends: gnupg-l10n` already, so it should be brought in for new installations by default. If you have an archive of old data that depends on known-broken algorithms, PGP3 keys, or other deprecated material, you'll need to have "classic" GnuPG around to access it. That will be provided in the `gnupg1` package What does this mean for package maintainers? -------------------------------------------- If you maintain a package that depends on `gnupg`: be aware that the `gnupg` package in debian is going through this transition. A few general thoughts: * If your package `Depends: gnupg` for signature verification only, you might prefer to have it `Depends: gpgv` instead. `gpgv` is a much simpler tool that the full-blown GnuPG suite, and should be easier to manage. I'm happy to help with such a transition (we've made it recently with `apt` already) * If your package `Depends: gnupg` and expects `~/.gnupg/` to be laid out in a certain way, that's almost certainly going to break at some point. `~/.gnupg/` is GnuPG's internal storage, and it's not recommended to rely on any specific data structures there, as they may change. `gpg` offers commands like `--export`, `--import`, and `--delete` for manipulating its persistent storage. please use them instead! * If your package depends on parsing or displaying `gpg`'s output for the user, please make sure you use its special machine-readable form (`--with-colons`). Parsing the human-readable text is not advised and may change from version to version. If you maintain a package that depends on `gnupg2` and tries to use `gpg2` instead of `gpg`, that should stay ok. However, at some point it'd be nice to get rid of `/usr/bin/gpg2` and just have one expected binary (`gpg`). So you can help with that: * Look for places where your package expects `gpg2` and make it try `gpg` instead. If you can make your code fall back cleanly * Change your dependencies to indicate `gnupg (>= 2)` * Patch `lintian` to encourage other people to make this switch What specifically needs to happen? ---------------------------------- The last major step for this transition was renaming the source package for "classic" GnuPG to be `gnupg1`. This transition is currently in the ftp-master's NEW queue. Once it makes it through that queue, and both `gnupg1` and `gnupg2` have been in experimental for a few days without reports of dangerous breakage, we'll upload both `gnupg1` and `gnupg2` to unstable. We'll also need to do some triage on the BTS, reassigning some reports which are really only relevant for the "classic" branch. Please report bugs via the BTS as usual! You're also welcome to ask questions and make suggestions on #debian-gnupg on irc.oftc.net, or to mail the Debian GnuPG packaging team at pkg-gnupg-maint ( -at -) lists.alioth.debian.org. Happy hacking! --dkg Share this post Link to post
