Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
On Thu, Jul 01, 2021 at 02:18:17PM +0200, Andreas Tille wrote:
> Hi Julian,
>
> On Thu, Jul 01, 2021 at 02:02:43PM +0200, Julian Andres Klode wrote:
> > Control: severity -1 minor
> >
> > On Thu, Jul 01, 2021 at 01:51:22PM +0200, Andreas Tille wrote:
> > > I have some packages for my own use (I mean there is no reason to expect
> > > that someone wants to pull things from there) on my private web page
> > > which I signed with my Debian key. This was working up to recently with
> > > apt-key. Since this was not working any more I tried to follow the
> > > advise given in the error message and started reading apt-secure(8)
> > > where I just found a hint to apt-key which is deprecated.
> >
> > There have been no changes on our side.
>
> That's strange.
>
> > > IMHO users who are using third party repositories will get a broken
> > > system after upgrading to Debian 11 and there is no helpful hint given
> > > how to fix it.
> > >
> > > BTW, I did some
> > >
> > > apt-key del 578A0494D1C646D1
> >
> > OK
> >
> > >
> > > added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg
> >
> > So you used --keyring /etc/apt/trusted.gpg.d/fam-tille.gpg
> > instead of --export > /etc/apt/trusted.gpg.d/fam-tille.gpg?
> >
> > Did you read the apt-key(8) manual page?
> >
> > apt-key supports only the binary OpenPGP format (also known as
> > "GPG key public ring") in files with the "gpg" extension, not the
> > keybox database format introduced in newer gpg(1) versions
> > as default for keyring files. Binary keyring files
> > intended to be used with any apt version should therefore
> > always be created with gpg --export.
> >
> > This problem happened to a lot of people, ever since gpg 2 became
> > the default which switched --keyring to generate not keyrings, but
> > keybox databases.
>
> I admit the problem that it did not worked yet was just on my end - I
> simply copied over the wrong key. Sorry for that part of the noise.
>
> > > and added an according
> > >
> > > [signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg]
> > >
> > > option to the sources.list line ... and it does not yet work. So I
> > > think it is critical to point to a solution that *really* works.
> >
> > Well, it should if you have a proper GPG keyring file, and not a
> > keybox file.
>
> ... the format was OK, just an old key. (Hiding behind some stone.)
>
> > > Due to potential breaking user systems I wonder if someone agrees
> > > with bumping the severity of the bug to serious.
> >
> > I disagree, and think this bug is a minor documentation issue,
> > your issue here is likely outside the computer.
>
> I stick to the opinion that apt-secure pointing to apt-key which
> is deprecated is simply the wrong thing.
Yes, the manpages need some reshuffling. But we're about to enter
hard freeze, and I don't want to end up breaking the translations
at this point and do a big reshuffling and rewrite of the docs.
> I would love to see some kind of example like
>
> [signed-by=/etc/apt/trusted.gpg.d/your-key.gpg]
You don't _need_ signed-by if you place files in trusted.gpg.d,
everything in trusted.gpg.d is trusted by any source lacking
a signed-by.
>
> directly and I think this should become part of Debian 11 release. But
> I will not play severity ping-pong - just stating my very personal
> opinion about some direct help in our docs. IMHO this is specifically
> important since *lots* of links that can be found by your favourite
> search engine are advertising the use of apt-key.
I don't want to advertise signed-by=. We should aim to get deb822 format
supported in python-apt next cycle, and then advertise a consistent use
of deb822 .sources files.
Including, but not limited to, having d-i create
sources.list.d/<vendor>.sources instead of sources.list.
It just looks bad in the legacy file format.
I'm still concerned having signed-by leads people to adding sources
they trust less, only to then be rootkitted by evil maintainer scripts
of packages in that repo.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: