This is for a runtime feature of portage and it appears it can gracefully handle the absence of getuto - portage does not strictly depend on getuto. For systems that do not already have gnupg installed, this also requires quite a few dependencies whether the feature will be used or not. For example, on one of my systems (albeit with a very small world), this dependency also required: dev-libs/libgpg-error dev-libs/libassuan dev-libs/npth dev-libs/nettle dev-libs/libksba net-libs/gnutls app-eselect/eselect-lib-bin-symlink app-eselect/eselect-pinentry dev-libs/libgcrypt app-crypt/pinentry app-crypt/gnupg This appears to be a perfect candidate for a post-install message, explaining how to opt-in to the install+use of getuto, not forcing it onto a system where it may go unused. Reproducible: Always
There's already an rsync-verify USE flag that pulls in gnupg and gemato. It would seem to be thematically fitting w.r.t. getuto, although mentioning rsync specifically seems incorrect (even with rsync-verify, you could be verifying git instead of rsync).
Some other packages have a "gpg" USE flag that we might also use for this. Alternatively, we could possibly add a minimal USE flag or something like that. The "build" USE flag used for stage1 builds has a similar meaning to minimal, and already disables the getuto dependency: !build? ( >=app-admin/eselect-1.2 app-portage/getuto >=app-shells/bash-5.0:0 >=sec-keys/openpgp-keys-gentoo-release-20230329 >=sys-apps/sed-4.0.5 rsync-verify? ( >=app-crypt/gnupg-2.2.4-r2[ssl(-)] >=app-portage/gemato-14.5[${PYTHON_USEDEP}] ) )
minimal is probably a good idea. Though I would mask that flag in normal operation since not having gpg available is a potential security desaster.
