Transitioning to GnuPG 2.1 within Debian

This is currently brainstorming, not a hard plan.

Rationale: we should eventually move from GnuPG 1.4.x to the modern version of GnuPG (2.1 branch) as the default in Debian. This should provide our users with Elliptic curve crypto, a proper cryptographic agent, better-indexed keybox format, and daemonized keyserver support (which copes better with transient pool outages).

Several different possible approaches (these could be combined):

/etc/alternatives

• make gnupg packages provide /usr/bin/gpg1 and gpgv1, etc, and point to them with /etc/alternatives
• make gnupg2 packages conflict with earlier versions of gnupg, and provide the alternatives themselves
• set the preferences such that gnupg2 is preferred

hard cutover

• the gnupg2 source package could take over the gnupg binary packages
• gnupg could start providing gnupg1 binary packages

metapackage

introduce a metapackage that depends on gnupg2 | gnupg1

Concerns

here are some things that the gnupg1 packaging currently provides that we ought to be providing in the gnupg2 packages:

• udev rules for smartcards (see: GnuPG/CCID_Driver)

• udebs for d-i
• win32 gpgv

Open Questions

• How long will we need to support the 1.4 branch for?
• What risks does gnupg 2.1 have for the long term?
• is it OK to drop the 2.0.x branch entirely?
• What is the time frame for this change? (can we complete the transition in stretch?)