[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian-archive-keyring installing ubuntu keys?

On 2014-03-26 8:39, Daniel Pocock wrote:
I have a project that is building in the travis-ci.org environment
(based on Ubuntu)
Unpacking debian-archive-keyring (from
.../debian-archive-keyring_2010.08.28_all.deb) ...
Setting up debian-archive-keyring (2010.08.28) ...

That package is older than the version in squeeze (i.e. oldstable).

However, even fetching the package from Ubuntu trivially shows that it does not contain any non-Debian keys:

$ wget http://mirrors.kernel.org/ubuntu/pool/universe/d/debian-archive-keyring/debian-archive-keyring_2010.08.28_all.deb
$ mkdir debtmp
$ dpkg-deb -x debian-archive-keyring_2010.08.28_all.deb debtmp
$ gpg --no-default-keyring --keyring debtmp/usr/share/keyrings/debian-archive-keyring.gpg --list-keys

pub   1024D/F42584E6 2008-04-06 [expired: 2012-05-15]
uid Lenny Stable Release Key <debian-release@lists.debian.org>

pub   4096R/55BE302B 2009-01-27 [expired: 2012-12-31]
uid Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>

pub   2048R/6D849617 2009-01-24 [expired: 2013-01-23]
uid Debian-Volatile Archive Automatic Signing Key (5.0/lenny)

pub   4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
uid Squeeze Stable Release Key <debian-release@lists.debian.org>

pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]
uid Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>


<ftpmaster@ubuntu.com>" not changed
gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key
<cdimage@ubuntu.com>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2

This suggests that you've got ubuntu-keyring installed in the environment.

You'll notice that the messages all say "not changed". There are no new keys being added at this point. What's happening is this:

if which apt-key > /dev/null; then
    apt-key update

[from debian-archive-keyring's postinst]

Is this simply because I'm trying to use packages from sid?  Or is this
"debian-archive-keyring" package at fault?

As far as I can tell, neither of these is the case. If you don't want your environment to contain Ubuntu keys, don't install ubuntu-keyring in it.

I can't see how to easily tell from your setup exactly what's installed in the environment before your job started, or I'd supply a link.

My understanding is that
because the package has debian in the name, it will give me Debian
project keys.

It does.



Reply to: