Re: Re: Re: Trouble with upgrading debian 7 (wheezy) (solved)

To: debian-user@lists.debian.org
Subject: Re: Re: Re: Trouble with upgrading debian 7 (wheezy) (solved)
From: Andy Smith <andy@strugglers.net>
Date: Thu, 3 Sep 2020 02:56:41 +0000
Message-id: <[🔎] 20200903025641.GO13298@bitfolk.com>
In-reply-to: <[🔎] 7db081ea-8d37-0fbe-e1e6-9c806c70790b@verizon.net>
References: <7db081ea-8d37-0fbe-e1e6-9c806c70790b.ref@verizon.net> <[🔎] 7db081ea-8d37-0fbe-e1e6-9c806c70790b@verizon.net>

Hello,

On Wed, Sep 02, 2020 at 12:43:35PM -0500, R. Ramesh wrote:
>   My only wish is apt is updated to say something about  the fact
> that this is unsupported and users are on their own, but still
> provide the download/install without we having to manually
> intervene.

I think¹ that there are two distinct things here:

1) The Debian Project's apt repositories and archives.

2) The software packages "apt" and "apt-get", designed for
   interacting with an apt archive.

It is my understanding that:

- The Debian Project has chosen to use key expiry as an indication
  (or one of the indications) that a particular distribution in its
  repository is no longer maintained.

- The "apt" commands interpret an expired key as a repository that
  should not be used without manual intervention.

So in effect allowing the key to expire *is* the message that you
are looking for, and having to force apt to ignore that can provide
a download, albeit with manual intervention necessary.

Apparently with an apt from stretch onwards you can configure
Check-Valid-Until in the actual sources file itself, so when stretch
is archived it could be referred to like this:

deb [check-valid-until=no] http://archive.debian.org/debian/ stretch main

in /etc/apt/sources.list or a snippet inside
/etc/apt/sources.list.d/. That would disable the expired key check
for just the archived stretch and not every repository you have
configured, with no command line override required.

Something I am not sure of: The key signs the repository's Release
file, and the Release file contains (amongst other things) checksums
for the index files. The index files contain hashes of all the
actual files, so you need a valid Release file to ensure integrity
of indices which then ensure integrity of actual packages. If one
forces apt to accept a Release file whose signing key has expired,
does apt still check the hashes in the indices that the Release file
references in order to ensure integrity of the files that are
downloaded? That is, will disabling Check-Valid-Until also disable
file integrity checks?

There is more in man page apt-secure about what security things
can be overridden.

    https://manpages.debian.org/buster/apt/apt-secure.8.en.html

Cheers,
Andy

¹ and I could well be wrong, since I am only a user of Debian, not a
  Developer or contributor to apt.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

> I'd be interested to hear any (even two word) reviews of their sofas…
Provides seating.        — Andy Davidson

Reply to:

References:
- Re: Re: Re: Trouble with upgrading debian 7 (wheezy) (solved)
  - From: "R. Ramesh" <rramesh@verizon.net>

Prev by Date: Re: virt-install returns error
Next by Date: Re: Can't log in after Stretch to Buster upgrade
Previous by thread: Re: Re: Re: Trouble with upgrading debian 7 (wheezy) (solved)
Next by thread: passwords + bad memory - Was (Re: how to test disk for bad sector)
Index(es):
- Date
- Thread