Your message dated Mon, 1 Feb 2010 23:49:41 +0100 with message-id <c64043e61002011449n1df461c1j90d35a65e101fa46@mail.gmail.com> and subject line Close: the varying permissions of /etc/apt/trusted.gpg has caused the Debian Bug report #406799, regarding the varying permissions of /etc/apt/trusted.gpg to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 406799: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406799 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: the varying permissions of /etc/apt/trusted.gpg
- From: Joey Hess <joeyh@debian.org>
- Date: Sun, 14 Jan 2007 02:15:18 -0500
- Message-id: <20070114071518.GA20163@kitenet.net>
Package: apt Version: 0.6.46.4 Severity: normal Apparently a bunch of systems have a /etc/apt/trusted.gpg that's mode 644, while many others have one that's mode 600. As best I can tell, it used to be the case that during debootstrap, the file was created by apt's postinst: if ! test -f /etc/apt/trusted.gpg; then cp /usr/share/apt/debian-archive.gpg /etc/apt/trusted.gpg fi That cp results in the file being 644, and it's 644 on all my older systems. But if I debootstrap etch today, the file is instead mode 600. This is because apt now depends on debian-archive-keyring, which does this in its postinst: if [ -x /usr/bin/apt-key ]; then /usr/bin/apt-key update fi Currently in debootstrap, apt-key exists at this point, and when it runs on a system with no trusted.gpg, gpg defaults to mode 600. This came to my attention, because the debian-installer package failed to access /etc/apt/trusted.gpg when running apt as a regular user, during its download of udebs when building d-i images. I've worked around that, by making debian-installer use /usr/share/keyrings/debian-archive-keyring.gpg instead. (Which I feel is suboptimal, but oh well..) I feel that the current situation is bad, because the mode of the file on a newly installed system is not well defined. Using a different method to bootstrap a Debian system can easily result in apt not yet being installed when debian-archive-keyring is first configured, and then the file will be installed mode 644 again. This also seems easy enough to fix in apt: Just pick a mode (preferably one that's a good choice for most users), and make apt-key and apt's postinst both ensure that if the file doesn't exist, it's created with that mode. (Or, if the mode you choose if 600, just remove the abovequoted lines from apt's postinst, and remove the old obsolete /usr/share/apt/debian-archive.gpg -- the apt-key update that follows those lines would then result in the file always being created mode 600.) -- see shy joAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 406799-done <406799-done@bugs.debian.org>
- Subject: Close: the varying permissions of /etc/apt/trusted.gpg
- From: David Kalnischkies <kalnischkies+debian@gmail.com>
- Date: Mon, 1 Feb 2010 23:49:41 +0100
- Message-id: <c64043e61002011449n1df461c1j90d35a65e101fa46@mail.gmail.com>
Version: 0.7.25.1 APT version 0.7.25.1 doesn't ship his own version of the archive keyrings any longer as indicated in the changelog: * share/*-archive.gpg: - remove the horrible outdated files. We already depend on the keyring so we don't need to ship our own version So the problem reported here should be fixed and i therefore close this bug now, but feel free to reopen it if you disagree. Best regards / Mit freundlichen Grüßen, David "DonKult" Kalnischkies
--- End Message ---