[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity

On Thu, Jul 01, 2021 at 02:18:17PM +0200, Andreas Tille wrote:
> Hi Julian,
> 
> On Thu, Jul 01, 2021 at 02:02:43PM +0200, Julian Andres Klode wrote:
> > Control: severity -1 minor
> > 
> > On Thu, Jul 01, 2021 at 01:51:22PM +0200, Andreas Tille wrote:
> > > I have some packages for my own use (I mean there is no reason to expect
> > > that someone wants to pull things from there) on my private web page
> > > which I signed with my Debian key.  This was working up to recently with
> > > apt-key.  Since this was not working any more I tried to follow the
> > > advise given in the error message and started reading apt-secure(8)
> > > where I just found a hint to apt-key which is deprecated.
> > 
> > There have been no changes on our side.
> 
> That's strange.
>  
> > > IMHO users who are using third party repositories will get a broken
> > > system after upgrading to Debian 11 and there is no helpful hint given
> > > how to fix it.
> > > 
> > > BTW, I did some
> > > 
> > >    apt-key del 578A0494D1C646D1
> > 
> > OK
> > 
> > > 
> > > added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg
> > 
> > So you used --keyring /etc/apt/trusted.gpg.d/fam-tille.gpg
> > instead of --export > /etc/apt/trusted.gpg.d/fam-tille.gpg?
> > 
> > Did you read the apt-key(8) manual page?
> > 
> >        apt-key supports only the binary OpenPGP format (also known as
> >        "GPG key public ring") in files with the "gpg" extension, not the
> >        keybox database format introduced in newer gpg(1) versions
> >        as default for keyring files. Binary keyring files
> >        intended to be used with any apt version should therefore
> >        always be created with gpg --export.
> > 
> > This problem happened to a lot of people, ever since gpg 2 became
> > the default which switched --keyring to generate not keyrings, but
> > keybox databases.
> 
> I admit the problem that it did not worked yet was just on my end - I
> simply copied over the wrong key.  Sorry for that part of the noise.
>  
> > > and added an according
> > > 
> > >    [signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg]
> > > 
> > > option to the sources.list line ... and it does not yet work.  So I
> > > think it is critical to point to a solution that *really* works.
> > 
> > Well, it should if you have a proper GPG keyring file, and not a
> > keybox file.
> 
> ... the format was OK, just an old key. (Hiding behind some stone.)
>  
> > > Due to potential breaking user systems I wonder if someone agrees
> > > with bumping the severity of the bug to serious.
> > 
> > I disagree, and think this bug is a minor documentation issue,
> > your issue here is likely outside the computer.
> 
> I stick to the opinion that apt-secure pointing to apt-key which
> is deprecated is simply the wrong thing.

Yes, the manpages need some reshuffling. But we're about to enter
hard freeze, and I don't want to end up breaking the translations
at this point and do a big reshuffling and rewrite of the docs.

> I would love to see some kind of example like
> 
>    [signed-by=/etc/apt/trusted.gpg.d/your-key.gpg]

You don't _need_ signed-by if you place files in trusted.gpg.d,
everything in trusted.gpg.d is trusted by any source lacking
a signed-by.

> 
> directly and I think this should become part of Debian 11 release.  But
> I will not play severity ping-pong - just stating my very personal
> opinion about some direct help in our docs.  IMHO this is specifically
> important since *lots* of links that can be found by your favourite
> search engine are advertising the use of apt-key.

I don't want to advertise signed-by=. We should aim to get deb822 format
supported in python-apt next cycle, and then advertise a consistent use
of deb822 .sources files.

Including, but not limited to, having d-i create
sources.list.d/<vendor>.sources instead of sources.list.

It just looks bad in the legacy file format. 

I'm still concerned having signed-by leads people to adding sources
they trust less, only to then be rootkitted by evil maintainer scripts
of packages in that repo.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
Reply to: