knewstuff's gpg use

[Harald Sitter]

Morning,

I had the most peculiar incident just now. KNewstuff shouted at me
because I have no bin/gpg(2). As it turns out core/security.cpp
implements some form of gpg signing verification. Based on the gpg CLI
app.

Naturally, I am perplexed by this because CMake doesn't actually
report gpg as a RUNTIME dep. that's not really the problem though. The
problem is in core/installation.cpp where the Security class is
"used".

It is used by: ctoring and setting up signal connections and then the
following marvel happens:

>     // ==== FIXME: security code below must go above, when async handling is complete ====
>
>     // FIXME: security object lifecycle - it is a singleton!
>     Security *sec = Security::ref();
>
>     // FIXME: change to accept filename + signature
>     sec->checkValidity(QString());

I am pretty sure that is no-op. Except for the fact that knewstuff
will complain visually [1] if gpg is not found in $PATH.

There is a bunch of issues with all of this:
- Security isn't actually used
- Security operates the bin/gpg CLI rather than using libgpgme which
supposedly would fit here?
- The gpg requirement is not codified in cmake
- The class while saying it is private and not meant to be used,
actually installs its header and exports itself -.-
- The class doesn't even have an actual development history in git
(sans mass refactoring and a workaround for the very noop code seen
above)

I move that we remove every "usage" of the Security class, mark the
entire thing deprecated and rip it out with KF6.

If no one has objections I'll prep a review for this tomorrow.

[1] http://i.imgur.com/joGDtfT.png

HS