Gpgverify assumes wrong default gnupg setup (with patch)

Sat Feb 28 19:16:52 UTC 2004

On Sat, Feb 28, 2004 at 11:22:02AM -0600, Heath Kehoe wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I disagree.  The manual page for pgpverify says: "By default, when
> running as part of INN, pgpverify expects the PGP key ring to be
> found in pathetc/pgp".

Ah, OK, but this is not about pgpverify but gpgverify.  ;-)
Of course I started out by issuing a 'man gpgverify' command.
After I found out that there was no such manpage, I decided to
look at the source code ("read the source, luke!") and read the
very comment. And from that I concluded that the intent was to let
the code function with the default gnupg setup.
Where did I go wrong?

> After importing the PGP keys, I moved the pubring file to
> <pathetc>/pgp/, and gpgverify works without needing modification.

Well, that's another way to solve it, but it is not straight forward.
There is no gpgverify manpage, and in the INSTALL file I read the
following text fragment:

    "INN expects the public key ring to either be in the default
    location for a PGP public key ring for the news user (generally
    ~news/.gnupg for GnuPG and ~news/.pgp for old PGP implementations),
    or in pathetc/pgp (/usr/local/news/etc/pgp by default).
    The latter is the recommended path."

This is clearly not true at the moment.
Also, I don't understand this code fragment:

    $opts .= " --keyring=$keyring" if $keyring;

The if clause is superfluous in my opinion, because the $keyring
variable will always be set. (see the gpgverify source code)

> The comment in the code is what needs to be changed, IMHO.
> It should read:
> # The keyring by default is stored in <newsetc>/pgp
> # If elsewhere, set appropriately the next line

I'm not sure.
Why do you prefer to force the user in changing the gnupg setup?
Why is the default directory ~/.gnupg not acceptable?
Normally I prefer to use default values and setups if there is
no need to deviate from them. And with your setup I am forced to
explicitly specify name and location of the keyring whenever I want
to add a key to it.

And if you persist in ~/etc/pgp as the gnupg keyring directory
it should be documented in the INSTALL file in an unambiguous way,
and in the (currently nonexistent) gpgverify manpage, of course.  ;-)

Regards,
Toon.
-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan