[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity

Hi Julian,

On Thu, Jul 01, 2021 at 02:02:43PM +0200, Julian Andres Klode wrote:
> Control: severity -1 minor
> 
> On Thu, Jul 01, 2021 at 01:51:22PM +0200, Andreas Tille wrote:
> > I have some packages for my own use (I mean there is no reason to expect
> > that someone wants to pull things from there) on my private web page
> > which I signed with my Debian key.  This was working up to recently with
> > apt-key.  Since this was not working any more I tried to follow the
> > advise given in the error message and started reading apt-secure(8)
> > where I just found a hint to apt-key which is deprecated.
> 
> There have been no changes on our side.

That's strange.
 
> > IMHO users who are using third party repositories will get a broken
> > system after upgrading to Debian 11 and there is no helpful hint given
> > how to fix it.
> > 
> > BTW, I did some
> > 
> >    apt-key del 578A0494D1C646D1
> 
> OK
> 
> > 
> > added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg
> 
> So you used --keyring /etc/apt/trusted.gpg.d/fam-tille.gpg
> instead of --export > /etc/apt/trusted.gpg.d/fam-tille.gpg?
> 
> Did you read the apt-key(8) manual page?
> 
>        apt-key supports only the binary OpenPGP format (also known as
>        "GPG key public ring") in files with the "gpg" extension, not the
>        keybox database format introduced in newer gpg(1) versions
>        as default for keyring files. Binary keyring files
>        intended to be used with any apt version should therefore
>        always be created with gpg --export.
> 
> This problem happened to a lot of people, ever since gpg 2 became
> the default which switched --keyring to generate not keyrings, but
> keybox databases.

I admit the problem that it did not worked yet was just on my end - I
simply copied over the wrong key.  Sorry for that part of the noise.
 
> > and added an according
> > 
> >    [signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg]
> > 
> > option to the sources.list line ... and it does not yet work.  So I
> > think it is critical to point to a solution that *really* works.
> 
> Well, it should if you have a proper GPG keyring file, and not a
> keybox file.

... the format was OK, just an old key. (Hiding behind some stone.)
 
> > Due to potential breaking user systems I wonder if someone agrees
> > with bumping the severity of the bug to serious.
> 
> I disagree, and think this bug is a minor documentation issue,
> your issue here is likely outside the computer.

I stick to the opinion that apt-secure pointing to apt-key which
is deprecated is simply the wrong thing.  I would love to see some
kind of example like

   [signed-by=/etc/apt/trusted.gpg.d/your-key.gpg]

directly and I think this should become part of Debian 11 release.  But
I will not play severity ping-pong - just stating my very personal
opinion about some direct help in our docs.  IMHO this is specifically
important since *lots* of links that can be found by your favourite
search engine are advertising the use of apt-key.

Kind regards

     Andreas.

-- 
http://fam-tille.de
Reply to: