Bug#703431: Annoying GPG error message

[Raphael Hertzog <hertzog@debian.org>]

On Wed, 10 Apr 2013, Robert Spencer wrote:
> I don't have a non-Debian system to test it on, but I hope the
> attached patch file meets your requirements (it's for debian-cd
> 3.1.12).
> 
> I have tested it on my build system and the defaults work.

I applied it. But thinking a bit more about what you did there's
more to improve. First you enable all keyrings in /usr/share/keyrings
which means also /usr/share/keyrings/debian-archive-removed-keys.gpg.
I don't think that we should use this one.

So we should be able to tell that we want to use a specific keyring
and not assume that all those in /usr/share/keyrings/ are OK.

> On a related note, should I file a bug on the addition of the
> following line to CONF.sh or just provide another patch?
> 
> #export DEBOOTSTRAP_OPTS="--keyring
> /usr/share/keyrings/debian-archive-keyring.gpg"

I do not understand your question. That line is already in CONF.sh.

$ grep DEBOOTSTRAP_OPTS CONF.sh 
unset DEBOOTSTRAP_OPTS   || true
#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"

But when you see that line it seems obvious that there's room for improvement
here. Why should we have to specify the keyring file twice, once for APT and
once for debootstrap ?

So IMO we should be able to use only two parameters:

ARCHIVE_KEYRING_PACKAGE=debian-archive-package
ARCHIVE_KEYRING_FILE=/usr/share/keyrings/debian-archive-keyring.gpg

And have debian-cd extract the file and pass it around to APT and debootstrap.
And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
unset it to activate the GPG check at the debootstrap level.

Can you implement this ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/