F43 Change Proposal: Modular GnuPG packaging (self-contained)

Wiki - https://fedoraproject.org/wiki/Changes/Modular_GnuPG_Packaging
Discussion thread -
https://discussion.fedoraproject.org/t/f43-change-proposal-modular-gnupg-packaging-self-contained/148880

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==

Currently GnuPG is packaged in a way that puts almost all tools and
services into a single, monolithic RPM package. However, only few
tools from the gnupg2 package are actually used by other tools and
users. With this change, core tools and optional utilities are split
off into separate packages.

== Owner ==

* Name: [[User:Decathorpe| Fabio Valentini]]
* Email: <decathorpe AT gmail DOT com>
* Name: [[User:Jjelen| Jakub Jelen]]
* Email: <jjelen AT redhat DOT com>


== Detailed Description ==

Currently GnuPG is packaged as a monolithic RPM that contains all
tools and services (except the S/MIME support, which is in
gnupg2-smime, but which is also pulled in by default).

This Change proposes to split the tools provided by the monolithic
gnupg2 package into different subpackages, in part based on in how
GnuPG 2.4 is packaged in debian:

* gnupg2: gpg executable
* gnupg2-dirmngr: certificate management service
* gnupg2-g13: encrypted file system containers
* gnupg2-gpgconf: core configuration utilities
* gnupg2-gpg-agent: cryptographic agent
* gnupg2-keyboxd: public key material service
* gnupg2-scdaemon: SmartCard daemon
* gnupg2-smime: S/MIME support
* gnupg2-wks: Web Key Service (WKS) client and server
* gnupg2-utils: non-essential utilities
* gnupg2-verify: gpgv executable

By default, all new subpackages except those for WKS client/server
(`-wks`) will get installed when gnupg2 is installed -- with
non-essential utilities in `-utils` being a weak dependency, like the
existing S/MIME `-smime` package.

This results in fewer unused programs and / or services being
installed and running, and would allow a more minimal install for
scenarios where only `gpg` or `gpgv` are needed, for example, for
signature verification during package builds.

Additionally, it allows swapping out the actual GnuPG implementation
with the one based on Sequoia-PGP, which only depends on `gpgconf` and
`gpg-agent` being present, but can otherwise function as a drop-in
replacement for `gpg` and `gpgv` (even via the GPGME library).

Draft implementation of this change is available in pull request:
https://src.fedoraproject.org/rpms/gnupg2/pull-request/23

Test builds are available in COPR:
https://copr.fedorainfracloud.org/coprs/decathorpe/gnupg2-split/

== Feedback ==

N/Y

== Benefit to Fedora ==

This change results in fewer unused executables and running services
being installed by default, making more components optional. It also
allows users to swap the gpg implementation on the system based on
their needs.

== Scope ==

* Proposal owners:

Packaging changes to the `gnupg2` package to introduce new subpackages.

Adapt packages that require utilities that have moved to other
subpackages of gnupg2 (TBD), file pull requests.

* Other developers:

Review and merge pull requests.

* Release engineering:

N/A (not a System-Wide Change)

* Policies and guidelines:

N/A (not a System-Wide Change)

* Trademark approval:

N/A

* Alignment with the Fedora Strategy:

N/A

== Upgrade/compatibility impact ==

On upgrade to Fedora 43, some non-essential GnuPG utilities will no
longer be available by default, and instead moved to the optional
`gnupg2-g13`, `gnupg2-utils`, and `gnupg2-wks` packages.

Alternatively, these optional packages could get pulled in on upgrade,
but not for "fresh" installs.

== How To Test ==

After upgrading to a Fedora version that has this change implemented,
most `gnupg2-` subpackages should get installed, except for those
noted in "Upgrade/compatibility impact" above. OpenPGP related
functionality of the system should continue working as expected (note
that this does *not* impact package management, which no longer uses
GnuPG in any way).

== User Experience ==

This Change should not affect most users. On a default install, some
non-essential GnuPG tools will no longer be included by default.

== Dependencies ==

N/A

== Contingency Plan ==

* Contingency mechanism:

The Change Owners will revert the changes to the gnupg2 package and
ensure an upgrade path for users who have already have the new
subpackages installed on their systems.

* Contingency deadline:

N/A (not a System Wide Change)

* Blocks release?

N/A (not a System Wide Change)

== Documentation ==

N/A (not a System Wide Change)

== Release Notes ==

The previously monolithic GnuPG package (`gnupg2`) was modularized,
with several tools and non-essential utilities having been split into
separate subpackages. The non-essential utilities (in `gnupg2-utils`)
and some services that are unused on most systems are no longer
installed by default.



--
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney

--
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue