Bug#1071368: [gpgv] cmd-arg parse error with apt/aptitude update

To: Andreas Metzler <ametzler@bebt.de>, 1071368@bugs.debian.org
Subject: Bug#1071368: [gpgv] cmd-arg parse error with apt/aptitude update
From: Lyndon Brown <jnqnfe@gmail.com>
Date: Sun, 19 May 2024 16:00:55 +0100
Message-id: <[🔎] 655fa85ad93e3fe529d288d42367d8aab3c08bf1.camel@gmail.com>
Reply-to: Lyndon Brown <jnqnfe@gmail.com>, 1071368@bugs.debian.org
In-reply-to: <ZkmRDZX-4Q5bf1Vr@argenau.bebt.de>
References: <f01f7e318a809623a068fc00fb8de9701f1d6cdd.camel__45045.9963338048$1715979437$gmane$org@gmail.com> <Zki6N2ohFNEP3YT_@argenau.bebt.de> <[🔎] f01f7e318a809623a068fc00fb8de9701f1d6cdd.camel@gmail.com> <df37e422e024efd25413cfc7dd37285a5d09e920.camel@gmail.com> <ZkmRDZX-4Q5bf1Vr@argenau.bebt.de> <[🔎] f01f7e318a809623a068fc00fb8de9701f1d6cdd.camel@gmail.com>

On Sun, 2024-05-19 at 07:41 +0200, Andreas Metzler wrote:
> Thanks for the quick reply. You have installed gpgv-from-sq which
> diverts "our" gpgv. (I will check a little bit more and reassign to
> apt.)

Oh okay. I'd assumed that gpgv had dropped support for the argument
either accidentally through a mistake with build args, or in a planned
way that overlooked use by apt, I wasn't expecting some third party
drop in to suddenly get installed with an imperfect emulation, I didn't
even know there were alternative implementations available. I did
notice the installation of the 'sq' packages but it happened as part of
a normal upgrade, I didn't ask for them, and I assumed that it was just
another splitting up of code to minimise attack surface after the
recent high profile supply chain attack against ssh.

So the 'sq' packages are actually a Rust-based alternative, that's
great, big fan of Rust. However somehow it's gotten pulled in as a
replacement now, without explicitly asking for it, when it's not
actually fully ready for use as a replacement in Debian considering
it's emulation is incomplete and it impacts something as critical as
apt.

Why did it get installed? Here's my apt log from early morning 2024-05-
17 having run `aptitude upgrade`:

Install: gpgv-sq:amd64 (0.8.0-5, automatic), gpgv-from-sq:amd64 (0.8.0-
5, automatic), sq:amd64 (0.33.0-3, automatic)
Upgrade: libwireshark17t64:amd64 (4.2.4-1, 4.2.5-1), libwireshark-
data:amd64 (4.2.4-1, 4.2.5-1), udev:amd64 (256~rc2-1, 256~rc2-3),
systemd-oomd:amd64 (256~rc2-1, 256~rc2-3), libgdk-pixbuf2.0-bin:amd64
(2.42.10+dfsg-3+b3, 2.42.12+dfsg-1), systemd-container:amd64 (256~rc2-
1, 256~rc2-3), libnss-myhostname:amd64 (256~rc2-1, 256~rc2-3), libpam-
systemd:amd64 (256~rc2-1, 256~rc2-3), busybox:amd64 (1:1.36.1-6+b1,
1:1.36.1-7), gir1.2-gdkpixbuf-2.0:amd64 (2.42.10+dfsg-3+b3,
2.42.12+dfsg-1), python3-typing-extensions:amd64 (4.10.0-1, 4.11.0-1),
libjavascriptcoregtk-4.1-0:amd64 (2.44.1-1+b1, 2.44.2-1),
libsystemd0:amd64 (256~rc2-1, 256~rc2-3), gir1.2-javascriptcoregtk-
4.1:amd64 (2.44.1-1+b1, 2.44.2-1), python3-requests:amd64 (2.31.0+dfsg-
1, 2.31.0+dfsg-2), gir1.2-javascriptcoregtk-6.0:amd64 (2.44.1-1+b1,
2.44.2-1), libnss-systemd:amd64 (256~rc2-1, 256~rc2-3), gir1.2-webkit2-
4.1:amd64 (2.44.1-1+b1, 2.44.2-1), libgdk-pixbuf-2.0-0:amd64
(2.42.10+dfsg-3+b3, 2.42.12+dfsg-1), libjavascriptcoregtk-6.0-1:amd64
(2.44.1-1+b1, 2.44.2-1), libwiretap14t64:amd64 (4.2.4-1, 4.2.5-1),
systemd:amd64 (256~rc2-1, 256~rc2-3), libudev1:amd64 (256~rc2-1,
256~rc2-3), libnss-mymachines:amd64 (256~rc2-1, 256~rc2-3), wireshark-
common:amd64 (4.2.4-1, 4.2.5-1), gpgv:amd64 (2.2.43-3, 2.2.43-5),
systemd-resolved:amd64 (256~rc2-1, 256~rc2-3), python3-numpy:amd64
(1:1.26.4+ds-8, 1:1.26.4+ds-9), libyuv0:amd64 (0.0.1888.20240509-3,
0.0.1888.20240509-4), libwebkit2gtk-4.1-0:amd64 (2.44.1-1+b1, 2.44.2-
1), libnss-resolve:amd64 (256~rc2-1, 256~rc2-3), libwsutil15t64:amd64
(4.2.4-1, 4.2.5-1), gir1.2-webkit-6.0:amd64 (2.44.1-1+b1, 2.44.2-1),
libsystemd-shared:amd64 (256~rc2-1, 256~rc2-3), systemd-sysv:amd64
(256~rc2-1, 256~rc2-3), libwebkitgtk-6.0-4:amd64 (2.44.1-1+b1, 2.44.2-
1), wireshark:amd64 (4.2.4-1, 4.2.5-1), linux-libc-dev:amd64 (6.7.12-1,
6.8.9-1), libgdk-pixbuf2.0-common:amd64 (2.42.10+dfsg-3, 2.42.12+dfsg-
1)

Having a quick look now at `gpgv-from-sq` and `gpgv-sq` in `aptitude -
i`, I see nothing depending on the former, and only the former depends
on the latter. There's also the `sq` package... I see `dpkg-dev` (which
I have installed) lists `sq` as an alternative to a dependency on both
`gpgv` and `gnupg`. Hmm.

Ah, I recall that some gpg packages were held back from upgrade during
this time. Only the `gpgv` package got upgraded in the above log. Only
later in the day did the rest get upgraded:

Install: linux-image-6.8.9-amd64:amd64 (6.8.9-1, automatic), linux-
headers-6.8.9-common:amd64 (6.8.9-1, automatic), linux-kbuild-
6.8.9:amd64 (6.8.9-1, automatic), linux-headers-6.8.9-amd64:amd64
(6.8.9-1, automatic)
Upgrade: gpg:amd64 (2.2.43-3, 2.2.43-6), linux-headers-amd64:amd64
(6.7.12-1, 6.8.9-1), gnupg:amd64 (2.2.43-3, 2.2.43-6), gpg-wks-
server:amd64 (2.2.43-3, 2.2.43-6), gpg-agent:amd64 (2.2.43-3, 2.2.43-
6), linux-image-amd64:amd64 (6.7.12-1, 6.8.9-1), gpgv:amd64 (2.2.43-5,
2.2.43-6), gpgsm:amd64 (2.2.43-3, 2.2.43-6), dirmngr:amd64 (2.2.43-3,
2.2.43-6), 7zip:amd64 (24.05+dfsg-2, 24.05+dfsg-3), gnupg-utils:amd64
(2.2.43-3, 2.2.43-6), gnupg-l10n:amd64 (2.2.43-3, 2.2.43-6), gpg-wks-
client:amd64 (2.2.43-3, 2.2.43-6), gpgconf:amd64 (2.2.43-3, 2.2.43-6),
intel-microcode:amd64 (3.20240312.1, 3.20240514.1)

So it seems that with some of the gpg packages held back, including
`gnupg`, `aptitude upgrade` chose to pull in `sq` as a replacement. :/

Reply to:

References:
- [gpgv] cmd-arg parse error with apt/aptitude update
  - From: Lyndon Brown <jnqnfe@gmail.com>

Prev by Date: Bug#1071368: [pkg-gnupg-maint] Bug#1071368: [gpgv] cmd-arg parse error with apt/aptitude update
Next by Date: Bug#1071490: apt: Enable Salsa-CI
Previous by thread: Bug#1071368: [pkg-gnupg-maint] Bug#1071368: [gpgv] cmd-arg parse error with apt/aptitude update
Next by thread: Processed: reassign 1071368 to apt
Index(es):
- Date
- Thread