HEADS UP : security/gnupg will be upgraded to 2.0.1

[Doug Barton]

Jun Kuriyama wrote:

> At first, thank you for your helping to upgrade our gnupg world to
> 2.0.x.  And sorry I cannot explain as you can feel reasonable.

I just want to make sure that the relevant issues are well thought
out, which it sounds like you have done.

> I just think "security/gnupg" should be used as "what you should
> choose" for "GnuPG".  If new ports user wants to install GnuPG, I hope
> there is "security/gnupg" as recommended stable version.

Well, I think that's a reasonable position in terms of how things are
traditionally done in our ports system. I'm not sure I would agree
that we should be pushing users toward adopting 2.x as the default
just yet, but I don't have a strong argument for either position.

If this is your plan, it leads me to the next question, which is how
are you going to handle the fact that GnuPG 2.x does not install a
binary named "gpg?" Will you install a symlink if gnupg1 is not
installed? And if so, will it CONFLICT with that port? If we are going
to suggest to users that 2.x is the default, I think we need to
provide support for those legacy(?) apps that think gnupg is spelled gpg.

> I understand GnuPG developers think 1.4.x will be kept, but I think
> dependents will migrate to use modularized 2.0.x line.  Though
> development is continue, Number of API consumer of 1.4.x line will be
> getting smaller.

I don't disagree with you necessarily, I just don't think that's a
good reason to make our default 2.x at this time.

> Anyway, this way maybe old-porters thinking.  I liked to use
> "<category>/<portname>" directory name (without version number).
> Using version number in ports directory is very exceptional event for
> keeping old ports (like "emacs", "emacs19", "emacs20").  I thought
> this is the way to indicate "what you should choose" for port users.
> 
> But, there are port directories with version number than past.  I can
> change my mind if it is suitable recently.

I think that given your intention of making 2.x the default, your plan
is the right way to achieve that. I'm just not sure it's the right way
to go forward, at least in the short term.

Andrew Pantyukhin wrote:

> An unversioned directory is the maintainer-designated
> default version of a port.

Traditionally that has been the case, yes.

> Unless its upgrades break
> a whole bunch of ports (like python did), it's none
> of our business when and why they happen. An advance
> heads-up is nice, but redundant.

I do not agree with this at all. GnuPG 2 is a completely different way
of accomplishing the same tasks. Personally, I think it will be a POLA
violation for users expecting to be able to install
"ports/security/gnupg" and have something that "just works" as gnupg
1.x does. At minimum 2.x requires at least one pinentry program, and
you don't really get all the benefit from 2.x unless you set up
gpg-agent at least. And that doesn't even begin to account for the
differences in library dependencies, the modular nature of the various
functionality in the new tools, etc.

> Doug, privately kept, but prompt versioning ways are
> one of the ports {trade,hall}marks. Gentoo is broken
> and Debian is stale, we're fighting somewhere in
> between, thanks to sane decisions our contributors
> make.

Sorry, I can't parse this paragraph at all.

> Shaun, whatever versioned dirs might seem to imply,
> they don't imply (in)stability or (in)compatibility.
> The unversioned one is the default one, that's it.
>
> Hitting users with new versions, but leaving them
> a chance to survive seems like a nice policy to me.

And in my mind, leaving the gnupg port alone and offering a gnupg2
port to allow users to make a more gradual and pain free migration
(which is what the GnuPG developers seem to intend) is the way to go.

> To conclude, I understand how Jun feels and think
> that instead of bitching about his reasoning,

Just in case it isn't already clear, no one is "bitching" about
anything here. It's perfectly reasonable for developers to have
different ideas about how something should be done, and there is
nothing wrong with hashing it out before moving forward. In fact,
that's what grownups do in situations like this.

> we should be insanely grateful for more than 8 years
> of his impeccable gnupg maintainership.

Having spent a non-zero amount of time working on a gnupg2 port for my
own use, not to mention the updates of the related ports to get 2.x to
build, I agree with you that we should be appreciative of Jun's
efforts, and I hope that he understands that nothing I've said is
intended in any way to be critical of him or his work.

Doug


-- 

    This .signature sanitized for your protection