---------------------------
**GnuPG >= 2.1 compatibility for repository signing.**
This release became rather more involved than I had hoped it would 😇 because
of backwards incompatibilities in GnuPG >= 2.1 that necessitated changes in the
API that deb-pkg-tools presents to its users:
- The ``--secret-keyring`` option has been obsoleted and is ignored and
the suggested alternative is the use of an `ephemeral home directory`_ which
changes how a key pair is specified.
- This impacts the API of the ``deb_pkg_tools.gpg.GPGKey`` class as well as
the ``repos.ini`` support in ``deb_pkg_tools.repo.update_repository()``.
The documentation has been updated to explain all of this, refer to the
``deb_pkg_tools.gpg`` module for details. Detailed overview of changes:
- The ``deb_pkg_tools.gpg.GPGKey`` class is now based on ``property-manager``
and no longer uses instance variables, because this made it easier for
me to split up the huge ``__init__()`` method into manageable chunks.
A side effect is that ``__init__()`` no longer supports positional
arguments which technically speaking is **backwards incompatible**
(although I never specifically intended it to be used like that).
- The ``deb_pkg_tools.gpg.GPGKey`` class now raises an exception when it
detects that the use of an isolated key pair is intended but the
``directory`` option has not been provided even though GnuPG >= 2.1 is
being used. While this exception is new, the previous behavior on
GnuPG >= 2.1 was anything but sane, so any thoughts about the
backwards compatibility of this new exception are a moot point.
- The ``deb_pkg_tools.gpg.GPGKey`` used to raise ``TypeError`` when a key pair
is explicitly specified but only one of the two expected files exists, in
order to avoid overwriting files not "owned" by deb-pkg-tools. An exception
is still raised but the type has been changed to ``EnvironmentError`` because
I felt that it was more appropriate. This is technically **backwards
incompatible** but I'd be surprised if this affects even a single user...
- The repository activation fall back test (that generates an automatic
signing key in order to generate ``Release.gpg``) was failing for me on
Ubuntu 18.04 and in the process of debugging this I added support for
``InRelease`` files. In the end this turned out to be irrelevant to the
issue at hand, but I saw no harm in keeping the ``InRelease`` support.
This is under the assumption that the presence of an ``InRelease`` file
shouldn't disturb older ``apt-get`` versions (which seems like a sane
assumption to me - it's just a file on a webserver, right?).
- Eventually I found out that the repository activation fall back test
was failing due to the key type of the automatic signing key that's
generated during the test: As soon as I changed that from DSA to RSA
things started working.
- GnuPG profile directory initialization now applies 0700 permissions to
avoid noisy warnings from GnuPG.
- Added Python 3.7 to tested and and supported versions.
- Improved ``update_repository()`` documentation.
- Moved function result caching to ``humanfriendly.decorators``.
- I've changed ``Depends`` to ``Recommends`` in ``stdeb.cfg``, with the
following rationale:
- The deb-pkg-tools package provides a lot of loosely related functionality
depending on various external commands. For example building of Debian
binary packages requires quite a few programs to be installed.
- But not every use case of deb-pkg-tools requires all of these external
commands, so demanding that they always be installed is rather inflexible.
- In my specific case this dependency creep blocked me from building
lightweight tools on top of deb-pkg-tools, because the dependency chain
would pull in a complete build environment. That was more than I bargained
for when I wanted to use a few utility functions in deb-pkg-tools 😅.
- With this change, users are responsible for installing the appropriate
packages. But then I estimate that less than one percent of my users are
actually affected by this change, because of the low popularity of
solutions like stdeb_ and py2deb_ 😇.
- Only the python-apt_ package remains as a strict dependency instead of a
recommended dependency, see 757286fc8ce_ for the rationale.
- Removed python-apt_ intersphinx reference (`for now
<https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1799807>`_).
- Added this changelog to the repository and documentation.
.. _Release 5.0: https://github.com/xolox/python-deb-pkg-tools/compare/4.5...5.0
.. _stdeb: https://pypi.org/project/stdeb/
.. _ephemeral home directory: https://www.gnupg.org/documentation/manuals/gnupg/Ephemeral-home-directories.htmlEphemeral-home-directories
.. _757286fc8ce: https://github.com/xolox/python-deb-pkg-tools/commit/757286fc8ce
.. _python-apt: https://packages.debian.org/python-apt