Re: Regarding ideas to replace gpgv with sqv
On Tue, Feb 02, 2021 at 03:47:28PM +0100, Frédéric Danis wrote:
> Hello,
>
> On 02/02/2021 13:38, Andrej Shadura wrote:
> > Hello,
> >
> > > > I do not want to replace gpgv with sqv, but rather directly link to
> > > > sequioa from the C++ code.
> > > The idea for sqv originated from dkg in this bug report:
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872271
> > >
> > > As I understand it, dkg approached the gpg developers about various
> > > improvements to gpgv's interface, which he thought would be useful to
> > > Debian, but the gpg developers responded that gpgv's API is frozen.
> > > Hence his request to the hopenpgp developers to create a better tool.
> > I just wanted to chime in and note there’s also interest in doing some
> > work to replace gpgv in apt at Collabora, for the Apertis project. The
> > reason here is that we want to get rid of GnuPG as a whole in the base
> > system.
> >
> > We will have to work on this regardless of whether a decision is taken
> > or not upstream, since our situation with GnuPG is quite bad (we have to
> > ship an old GnuPG 1 in the target images because of licensing issues),
> > but it’d be best if that work was co-ordinated with the upstream and
> > other interested parties.
> >
> During the research to replace GnuPG in Apertis, I found that 2 projects can
> fit our needs: Sequoia and RNP[1].
>
> The latter is wrote in C++, and is/will be used in Thunderbird to provide
> encrypted or signed emails [2].
>
> Could it fit the Debian requirements to replace gpgv?
> Is there any drawbacks from using it?
I haven't looked into it, but it pulls in sqlite3 and libssl1.1 via
botan, and we can't provide a nice library interface for it given that
it's Apache licensed, and the APT library needs to be GPL-2.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: