FS#43154 - [gnupg] gpg incorrectly symlinked to gpg2 binary

Attached to Project: Arch Linux
Opened by Matthew Treinish (mtreinish) - Friday, 19 December 2014, 01:10 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 18 January 2015, 21:10 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: The gnupg package symlinks /usr/bin/gpg to gpg2. However gpg2 and gpg are different commands with different use cases. Gpg2 is targetted for desktop users and brings in a lot of extra dependencies, while gpg is a standalone binary which brings in less deps and is often used in embedded systems. For those familiar with using the 2 different binaries they expect that gpg refers to 1.x and gpg2 is for 2.x.

This is corroborated with the gnupg official docs: https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG.html

Additional info:
* Applies to 2.1.0-7 and checking the PKGBUILD for 2.1.1-1 in testingthe same symlink is performed there
This task depends upon

Closed by  Gaetan Bisson (vesath)
Sunday, 18 January 2015, 21:10 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Arch uses the modern version of gnupg. Older versions can be found on the AUR, and any developer or trusted user that cares is free to bring them to the official repo.
Comment by Gaetan Bisson (vesath) - Friday, 19 December 2014, 06:19 GMT
We decided long ago to only provide gpg2 since its set of features is strictly larger than gpg1 and, as a general rule, Arch favours featureful software.

The symlink is there to allow scripts to find GnuPG when they do not care what version they get.

You may install GnuPG-1 on your system and use /usr/bin/gpg1. There is for instance a PKGBUILD on the AUR for that.
Comment by Matthew Treinish (mtreinish) - Sunday, 18 January 2015, 12:11 GMT
  • Field changed: Percent Complete (100% → 0%)
You actually misunderstood what I was saying. I agree with the first sentence and think its fine to only package gpg2. When I opened this bug I had no expectation of getting gpg 1.x packaged.

What I was saying is that while you added a symlink for software which doesn't care about the version that is an inherently flawed assumption. This is because the official gnupg docs say that gpg is used for v1.X and gpg2 is for 2.x. Since things are not 100% compatible between versions, by doing this you actually risk breaking scripts which are written using that as a guide. Which is contrary to your intended goal for adding the symlink.
Comment by Jan de Groot (JGC) - Sunday, 18 January 2015, 12:13 GMT
I'm running into problems with gnupg support in Seahorse (and probably gnome-keyring too): Seahorse doesn't support 2.1.

Redhat solved it this way: http://pkgs.fedoraproject.org/cgit/seahorse.git/commit/?h=f21&id=32a5dd3ad58389f9573edea28b66ceb26424db28

IMHO we should let these packages co-exist without adding symlinks that break backwards compatibility.
Comment by Gaetan Bisson (vesath) - Sunday, 18 January 2015, 21:06 GMT
So Fedora "fixed" their Seahorse issue by going back to gnupg-1; shall we understand that you intend to package gnupg-1 in our repos? Well, calling the binary /usr/bin/gpg1 would be enough to avoid conflict...

Loading...