Bug#558784: marked as done (apt: re-adds removed keys)
Your message dated Mon, 14 Dec 2009 12:35:56 +0100
with message-id <c64043e60912140335i51345b5fh9201973d281d331a@mail.gmail.com>
and subject line Re: Bug#558784: apt: re-adds removed keys
has caused the Debian Bug report #558784,
regarding apt: re-adds removed keys
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
558784: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558784
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apt: re-adds removed keys
- From: Tollef Fog Heen <tfheen@err.no>
- Date: Mon, 30 Nov 2009 15:51:43 +0100
- Message-id: <87eingm5fk.fsf@qurzaw.linpro.no>
Package: apt
Severity: serious
Version: 0.7.24
Justification: overwrites local configuration changes
I have removed some keys from my apt keyring, but it seems like apt
always re-adds them when configuring:
shashlik# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/6070D3A1 2006-11-20 [expired: 2009-07-01]
uid Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>
pub 1024D/ADB11277 2006-09-17
uid Etch Stable Release Key <debian-release@lists.debian.org>
[...]
shashlik# apt-key remove ADB11277
OK
shashlik# apt-key update
gpg: key 6070D3A1: "Debian Archive Automatic Signing Key (4.0/etch) <ftpmaster@debian.org>" not changed
gpg: key ADB11277: public key "Etch Stable Release Key <debian-release@lists.debian.org>" imported
gpg: key BBE55AB3: "Debian-Volatile Archive Automatic Signing Key (4.0/etch)" not changed
gpg: key F42584E6: "Lenny Stable Release Key <debian-release@lists.debian.org>" not changed
gpg: key 55BE302B: "Debian Archive Automatic Signing Key (5.0/lenny) <ftpmaster@debian.org>" not changed
gpg: key 6D849617: "Debian-Volatile Archive Automatic Signing Key (5.0/lenny)" not changed
gpg: Total number processed: 6
gpg: imported: 1
gpg: unchanged: 5
gpg: no ultimately trusted keys found
shashlik# apt-key list
/etc/apt/trusted.gpg
--------------------
[...]
pub 1024D/ADB11277 2006-09-17
uid Etch Stable Release Key <debian-release@lists.debian.org>
shashlik#
from apt.postinst:
case "$1" in
configure)
if ! test -f /etc/apt/trusted.gpg; then
cp /usr/share/apt/debian-archive.gpg /etc/apt/trusted.gpg
fi
apt-key update
;;
so it is actually a double policy violation: removing
/etc/apt/trusted.gpg is a perfectly legal configuration change that apt
must not override. Ditto, removing a key is a perfectly legal
configuration change that apt must not override in its postinst.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
--- End Message ---
--- Begin Message ---
- To: Tollef Fog Heen <tfheen@err.no>, 558784-done <558784-done@bugs.debian.org>
- Subject: Re: Bug#558784: apt: re-adds removed keys
- From: David Kalnischkies <kalnischkies+debian@gmail.com>
- Date: Mon, 14 Dec 2009 12:35:56 +0100
- Message-id: <c64043e60912140335i51345b5fh9201973d281d331a@mail.gmail.com>
- In-reply-to: <87eingm5fk.fsf@qurzaw.linpro.no>
- References: <87eingm5fk.fsf@qurzaw.linpro.no>
Hi Tollef Fog Heen,
2009/11/30 Tollef Fog Heen <tfheen@err.no>:
>
> Package: apt
> Severity: serious
> Version: 0.7.24
> Justification: overwrites local configuration changes
Thanks for your report - unfortunately i think this report is invalid
and i therefore close it for the following reasons.
Feel free to ask and/or reopen it, but please read the reasons
below first and be prepared to give good reasons if you disagree.
While i could agree with you on a (very high) metalevel that this could
be a valid configuration change, i have a few very simple practical
reasons why not:
- first of all: /etc/apt/trusted.gpg is not a configuration file
[in dpkg sense] yes - it looks like one as it is in /etc - and it is in
some ways a configuration file, but not directly if you compare it to
"normal" configuration files like xorg.conf.
- apt depends on debian-archive-keyring. So it explicitly says that it
requires the complete keyring to work correctly. A administrator who
removes parts of this keyring therefore doesn't make a valid configuration
change - he breaks the dependency apt has causing apt to do possibly
strange things (behavior of applications with broken dependencies is
undefined) - Including reimporting the keyring to fix it.
(A segfault would be also possible.)
- A keyring is a keyring because the keys together form a ring of trust.
If you don't trust a key in the ring, you can't trust the keyring
(if this wouldn't be the case a keyring should be called "loosely coupled
group of keys"), so if you remove a key you effectively remove the keyring.
This is disallowed by the dependency (as said in the previous point).
Best regards / Mit freundlichen Grüßen,
David "DonKult" Kalnischkies
--- End Message ---
Reply to: