Bug#703431: Annoying GPG error message
On Tue, 16 Apr 2013, Robert Spencer wrote:
> >And have debian-cd extract the file and pass it around to APT and debootstrap.
> >And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
> >unset it to activate the GPG check at the debootstrap level.
> >
> >Can you implement this ?
>
> Patch file attached. Again it's for debian-cd 3.1.12.
Thanks, but there's a small misunderstanding left here:
> # By default we use debootstrap --no-check-gpg to find out the minimal set
> # of packages because there's no reason to not trust the local mirror. But
> # you can be paranoid and then you need to indicate the keyring to use to
> # validate the mirror.
> -#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
> +#export DEBOOTSTRAP_OPTS="--keyring $ARCHIVE_KEYRING_FILE"
This still requires that the keyring be installed on the system whereas
we're already extracting it from the binary package in debian-cd.
So I was suggesting to always pass the --keyring option to debootstrap
but letting it point to the extracted keyring instead of the system-wide
one.
And then CONF.sh would only contain something like this:
# By default we use debootstrap --no-check-gpg to find out the minimal set
# of packages because there's no reason to not trust the local mirror. But
# you can be paranoid and then you need to set DEBOOTSTRAP_OPTS to an
# empty value and indicate the keyring to use with ARCHIVE_KEYRING_PACKAGE
# and ARCHIVE_KEYRING_FILE.
#export DEBOOTSTRAP_OPTS="--no-check-gpg"
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Reply to: