Bug#703431: Annoying GPG error message

[Raphael Hertzog <hertzog@debian.org>]

On Tue, 16 Apr 2013, Robert Spencer wrote:
> >And have debian-cd extract the file and pass it around to APT and debootstrap.
> >And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
> >unset it to activate the GPG check at the debootstrap level.
> >
> >Can you implement this ?
> 
> Patch file attached. Again it's for debian-cd 3.1.12.

Thanks, but there's a small misunderstanding left here:

>  # By default we use debootstrap --no-check-gpg to find out the minimal set
>  # of packages because there's no reason to not trust the local mirror. But
>  # you can be paranoid and then you need to indicate the keyring to use to
>  # validate the mirror.
> -#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
> +#export DEBOOTSTRAP_OPTS="--keyring $ARCHIVE_KEYRING_FILE"

This still requires that the keyring be installed on the system whereas
we're already extracting it from the binary package in debian-cd.

So I was suggesting to always pass the --keyring option to debootstrap
but letting it point to the extracted keyring instead of the system-wide
one.

And then CONF.sh would only contain something like this:

# By default we use debootstrap --no-check-gpg to find out the minimal set
# of packages because there's no reason to not trust the local mirror. But
# you can be paranoid and then you need to set DEBOOTSTRAP_OPTS to an
# empty value and indicate the keyring to use with ARCHIVE_KEYRING_PACKAGE
# and ARCHIVE_KEYRING_FILE.
#export DEBOOTSTRAP_OPTS="--no-check-gpg"

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/