It looks like rpm-sign-libs is now a hard dependency for rpm since 6.0 alpha. And rpm-sign-libs has a hard dependency on gnupg2, which now pulls in a *lot* more packages into the minimal buildroot: - gnupg2 - gnutls - ima-evm-utils-libs - libassuan - libfsverity - libgcrypt - libgpg-error - libksba - libusb1 - nettle - npth - rpm-sign-libs - tpm2-tss This seems unfortunate, given that the rest of the packaging stack has dropped dependencies on gnupg2 / gpgme (rpm, dnf, etc.), and increases the size of the minimal buildroot substantially. Reproducible: Always
rpm-sign-libs is not a dependency of *rpm*, it's a dependency of *rpm-build*. But yeah that would affect the minimal buildroot somewhat. The hard dependency on gnupg2 is kinda wrong now though, it could now be "gnupg2 or sequoia-sq". The latter pulling considerably less fubar with it, but since the choice between gnupg/sequoia is a user configurable thing, expressing it through dependencies isn't going to work well.
Maybe the build-time autosigning feature should just use dlopen() instead of linking to librpmsign and just have a recommends on it instead, that'd basically put us back to the previous situation. The gnupg/sq dependency issue within rpm-libs-sign is a kind of a separate issue.
> since the choice between gnupg/sequoia is a user configurable thing, expressing it through dependencies isn't going to work well In that case - would it make sense to depend on *neither*, and let users pull in the dependency manually that matches their configuration?
This comment was flagged as spam, view the edit history to see the original text if required.
(In reply to Panu Matilainen from comment #1) > rpm-sign-libs is not a dependency of *rpm*, it's a dependency of > *rpm-build*. But yeah that would affect the minimal buildroot somewhat. > > The hard dependency on gnupg2 is kinda wrong now though, it could now be > "gnupg2 or sequoia-sq". The latter pulling considerably less fubar with it, > but since the choice between gnupg/sequoia is a user configurable thing, > expressing it through dependencies isn't going to work well. Shouldn't this be addressable by a provides (let's call it "rpm-signing") in gnupg2 and sequoia-sq and ten have rpm-build depend on "rpm-signing" instead of gnpg2 ?
As far as I can tell, this has the same problems as "Requires: (gnupg2 or sequoia-sq)", just with extra steps. And in both cases, there is either an an implicit (alphabetical?) or explicit (Suggests: ...) preference.