Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity

To: debian-devel@lists.debian.org
Cc: Julian Andres Klode <jak@debian.org>, 990521@bugs.debian.org
Subject: Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
From: Andreas Tille <andreas@an3as.eu>
Date: Thu, 1 Jul 2021 14:55:22 +0200
Message-id: <[🔎] 20210701125522.GR10939@an3as.eu>
In-reply-to: <[🔎] 20210701141910.GA2418829@debian.org>
References: <162513538088.3116037.16931305603726561033.reportbug@energija.fam-tille.de> <[🔎] 20210701115122.GO10939@an3as.eu> <[🔎] 20210701135709.GA2393500@debian.org> <[🔎] 20210701121817.GQ10939@an3as.eu> <[🔎] 20210701141910.GA2418829@debian.org>

On Thu, Jul 01, 2021 at 02:27:31PM +0200, Julian Andres Klode wrote:
> > > I disagree, and think this bug is a minor documentation issue,
> > > your issue here is likely outside the computer.
> > 
> > I stick to the opinion that apt-secure pointing to apt-key which
> > is deprecated is simply the wrong thing.
> 
> Yes, the manpages need some reshuffling. But we're about to enter
> hard freeze, and I don't want to end up breaking the translations
> at this point and do a big reshuffling and rewrite of the docs.

Fair point.
 
> > I would love to see some kind of example like
> > 
> >    [signed-by=/etc/apt/trusted.gpg.d/your-key.gpg]
> 
> You don't _need_ signed-by if you place files in trusted.gpg.d,
> everything in trusted.gpg.d is trusted by any source lacking
> a signed-by.

OK, I lived under the impression that this is really needed
(by seeking on the web for non-apt-key using docs.)  If this is
the case I absolutely agree with you.
 
> > directly and I think this should become part of Debian 11 release.  But
> > I will not play severity ping-pong - just stating my very personal
> > opinion about some direct help in our docs.  IMHO this is specifically
> > important since *lots* of links that can be found by your favourite
> > search engine are advertising the use of apt-key.
> 
> I don't want to advertise signed-by=. We should aim to get deb822 format
> supported in python-apt next cycle, and then advertise a consistent use
> of deb822 .sources files.
> 
> Including, but not limited to, having d-i create
> sources.list.d/<vendor>.sources instead of sources.list.
> 
> It just looks bad in the legacy file format. 
> 
> I'm still concerned having signed-by leads people to adding sources
> they trust less, only to then be rootkitted by evil maintainer scripts
> of packages in that repo.

Thanks a lot for the clarification.  I agree now with the minor
issue statement.

Kind regards

     Andreas. 

-- 
http://fam-tille.de

Reply to:

References:
- I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Julian Andres Klode <jak@debian.org>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
Next by Date: Re: Reconsider sending ITP bugs to debian-devel: a new list?
Previous by thread: Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
Next by thread: Re: Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity
Index(es):
- Date
- Thread