Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock Hi,tl;dr: debian-archive-keyring 2025.1 did change some file content arround, this needs an update in open-infrastructure-compute-tools and the new version contains only this exact fix (debdiff attached).
please unblock open-infrastructure-compute-tools 20250604-1.
long story:
* o-i-compute-tools creates containers by (de)bootstrapping them
during which it also populates apt sources.lists.
* with (almost) making Signed-by mandatory for apt sources in trixie
(I like that, thanks!), the keyrings need to be referenced in
sources.lists.
* debian-archive-keyring contains each keys in individual files,
as well as one file containing all keys.
* from a theoretical point of view, it could be argued, that
using the exact individual key for each of debians suite
repositories in sources.list entry is more "secure" than using the
whole keyring for all debian repositories indiscriminately.
* the current version of o-i-compute-tools uses individual keys
for each debian suite, this works fine with anything upto and
including bookworm as well as with trixie/sid for anything with
debian-archive-keyring < 2025.1.
* for trixie/sid and debian-archive-keyring >= 2025.1 this doesn't
work anymore.
* debian, on official media, uses the whole keyring and doesn't
distinguish matching individual suite repos and keys. therefore,
I've changed this in o-i-compute-tools to do the same and that's
what's in the debdiff.
* with the updated package, containers for all currently supported
debian releases, including trixie, can be created (again). without
it, trixie containers cannot be build successfully.
Regards,
DanielAttachment:
debdiff.gz
Description: application/gzip