[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#558784: apt: re-adds removed keys



I still don't think it is a real bug as APT has a hard dependency on
debian-archive-keyring ~ it doesn't recommend this keys, it says:
You must have ALL these keys installed to use APT correctly and
on the other hand i see no reason why someone want to remove a
key from the debian-archive-keyring which would be not better be
done by the package itself for all users…
(we could questioning the dependency itself now of course)


But anyway, APT 0.7.25.1 includes some code to help with this -
let us call it - usecase: trusted.gpg can be split into fragment files.
Current status is to ship squeeze with support for these fragments
while not actually use it to be on the save side in regards to backports
and co and to recommend usage directly after squeeze release, so
i would tag it squeeze-ignore, but that is a decision up to the release team -
who is btw also responsible for debian-archive-keyring and therefore
the biggest player in a possible keyring-transition…

The big advantage is that we would no longer need apt-key and
therefore gpg to add/remove keys to apt's trusted keyring:
Simple mv, cp & rm would be enough for managing, gpgv for usage and
gnupg could be dropped from Priority:important-list (see #387688).

The small advantage for you would be that this fragment files could
be real dpkg conf-files and neither apt nor debian-archive-keyring would need
special code (aka apt-key update) to ensure a correctly setupped keyring.

The files are still binary files so dpkgs conffile handling wouldn't be that
helpful, but at least the md5sum mismatch would be noticeable…
(Yes, binary is required here as gpgv only supports the binary format)
On the other hand the keyrings could be fragmented in
debian-archive-keyring-lenny.gpg, debian-archive-keyring-squeeze.gpg,
whatever.gpg so the situation would be in 99% of all cases
a removed conffile instead of a modified… (if modified at all).

Oh, and yes, after that apt could lower the debian-archive-keyring
dependency to recommends as it wouldn't need to set it up any longer,
but i would like to defer this discussion to some point after squeeze…


Best regards / Mit freundlichen Grüßen,

David Kalnischkies


P.S.: I fail to see why /var/lib is a better place for trusted keys than /etc.
APT doesn't modify it while running, it isn't bound to a specific host
(why i should not share my trusted keys between my boxes as i do
 with my other APT settings?) and users can modify it (to some extend).



Reply to: