Bug#620064: apt: please drop dependency on gnupg
* David Kalnischkies [2011-03-30 18:11 +0200]:
> On Tue, Mar 29, 2011 at 21:30, Carsten Hey <carsten@debian.org> wrote:
> > * David Kalnischkies [2011-03-29 20:03 +0200]:
> >> On Tue, Mar 29, 2011 at 18:32, Carsten Hey <carsten@debian.org> wrote:
> Support was added in 0.7.25.1 -- some bugfixes occurred later,
> so to be save assume squeeze version of APT (0.8.10.3) provides it.
Very good, since skipping a stable release is not supported, this is
nothing we need to think about anymore :)
> > 2b. d-a-k drops the dependency on gnupg and still uses apt-key in its
> > maintainer scripts
> >
> > not done
>
> Yeah, either d-a-k or APT can remove the gnupg dependency, but not both
> as otherwise you will have in new installation the problem that gnupg is not
> around to manage the trusted.gpg file…
>
> I mean, APT could remove it now without changing anything - and d-a-k
> can do it after implementing 2c, but if it is done before the key will be not
> available for verification…
First google hit (at least here) when searching for "ubuntu ppa gpg" is:
http://gentoo-blog.de/ubuntu/ubuntu-gpg-error-httpppalaunchpadnet-intrepid-release/
... and it explains how to use apt-key to add keys. The second hit has
essential the same key in the first comment and the third hit also uses
apt-key add.
Sounds like recommending gnupg instead of suggesting it or even droping
the dependency would be a good idea since people really use it. People
who know what they to could still ignore this recommendation.
When apt recommends gnupg there is not much left for gpgv, either depend
on it or do not mention because gnupg already depends on gpgv.
I wrote earlier that keyring packages are just data. Maybe letting the
keyring packages depend on gpgv isn't that bad, it would ensure that
installed keyring packages can be used and there isn't much useful you
could with them besides verifying release files. I see no other way to
express:
"gnupg should be installed by default because people would be
surprised if apt-key wouldn't work but they should also be able to
remove it. gpgv is more important than gnupg, so this should normally
even be installed if gnupg is not."
The above would lead to:
apt recommends d-a-k and gnupg
d-a-k depends on gpgv
or
apt depends on d-a-k and recommends gnupg
d-a-k depends on gpgv
> >> For me a plan looks more like:
> >> - switch all keyring packages to store their keyrings in the new (=squeeze
> >> supports it) trusted.gpg.d directory - at best even more fragments if it
> >> makes sense, e.g. oldstable keys in an other file than the one for testing.
> >> Links are fine, too.
> >
> > This is 2a and 2c from my list above.
> >
> > As long as the old interface is not removed and the other keyring
> > packages depend on gnupg, there is no need to touch them now. Switching
> > them can be done later. Prerequisite for this is that apt-key fails in
> > a sane way if gnupg is not installed.
>
> It doesn't currently (command not found), but after all, what is a
> 'sane way' to fail?
The following is also just a "command not found" and could be written in
better words:
# apt-get purge dialog
# orphaner
/usr/sbin/orphaner: You need "dialog" in $PATH to run this frontend.
zsh: exit 1 orphaner
The difference between the above and the usual "command not found: ..."
is in my opinion that the former makes it clear that this is not a bug
and it is intended to behave that way.
Patch attached.
> apt-key would need to fail, causing the maintainer script to fail, so
> the package fails to install. The alternative is 'just' printing
> a warning, which nobody will see…
I think only one (see below) could fail, the current dependencies should
ensure apt-key works in the keyrings' maintainer scripts. When keyring
packages would drop the gnupg dependency they need to also
simultaneously switch to the new apt interface (this is vice versa
I originally thought it should be done, but I think this way is better).
> >> (- remove the apt dependency from all keyring packages)
> >
> > I don't think there is one.
>
> debian-ports-archive-keyring for example, but all the others, too.
> Expect d-a-k of course, this would be a circle dependency…
I see. The postrm script for emdebian-archive-keyring is wrong.
debian-backports-keyring uses prerm. All other packages only use
postinst to call apt-key.
> >> (- downgrade APTs d-a-k dependency to a recommend)
> >
> > If you want to make d-a-k and gpgv optional, I would let apt recommend
> > both. In this case, ensuring that debootstrap and cdebootstrap install
> > both in their minimal variants might be useful (people could still
> > remove these packages).
> >
> > I have no opinion whether d-a-k and gpgv should be optional or not.
>
> Its the connotation of #558784 - be able to decide on your own which keys
> to trust, so you properly don't want to automatically trust new keys.
> And as you said chroots or embedded systems might like it, too.
> So a Recommends would in my eyes be a better fit than Depends
> as APT can work without it - just not the security features in it.
> d-a-k will be still around in all but very unusual cases because of
> being 'important' and recommends being installed by default.
I agree about only recommending d-a-k.
Whether gpgv could be just a recommendation (either direct or via d-a-k)
depends on if apt works without gpgv. gpgv does not any additional
dependency after a bug I filed a while ago has been fixed (currently it
only adds libreadline) and it is rather small:
Package: apt
Installed-Size: 6080
Package: gpgv
Installed-Size: 396
> >> - close all three bugs mentioned in this bugreport here
> >
> > The d-a-k one can be closed immediately if its maintainers do the
> > upload. Alternatively, you might want to extend (retitle and describe
> > what apt needs) it to also include adaption of d-a-k to the new apt
> > interface. Or you just file a new bug about this if you prefer it this
> > way.
> >
> > Without knowing the details, I guess #558784 can be closed after all
> > keyring packages have switched to the new interface and the old one has
> > been disabled in apt. On the other hand, carrying the old interface
> > a while in Debian might be useful for third party keyring packages.
> > Then #558784 could be closed after all keyring packages in Debian have
> > switched with the rationale that only unsupported third party packages
> > using deprecated interfaces trigger it. But as already said, I don't
> > know the details of this bug.
>
> Its just d-a-k's keys which are added again and again with its special
> handling in apt-key update, so if this is gone that bug can be closed - or
> in other words: Implement 2c and be done with it ...
Ok, I understand. Filing bugs against all keyring packages after having
a working and complete example how to use them and tagging them as
blocking #558784 might be the way to go.
I attached an example postinst for keyring packages. It currently does
not handle migration from keyring packages using apt-key to the new
interface. It also does not handle removing keys (would be the wrong
script anyway ;)).
> as we wouldn't need to call apt-key update then…
I attached a related patch against apt's postinst.
Regards
Carsten
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: carsten@stateful.de-20110331000351-yntkd3nuk4dwiy5d
# target_branch: bzr+ssh://bzr.debian.org/bzr/apt/debian-sid/
# testament_sha1: 1e99401f2c75adabee9487e38fcaa94f78cfe534
# timestamp: 2011-03-31 02:05:56 +0200
# base_revision_id: mvo@debian.org-20110316072204-jlfh79s5c2bp6zyh
#
# Begin patch
=== modified file 'cmdline/apt-key'
--- cmdline/apt-key 2011-02-08 21:26:15 +0000
+++ cmdline/apt-key 2011-03-31 00:03:51 +0000
@@ -3,6 +3,11 @@
set -e
unset GREP_OPTIONS
+if ! which gpg >/dev/null 2>&1; then
+ echo >&2 "Please install the recommended package 'gnupg' to be able to use apt-key."
+ exit 1
+fi
+
# We don't use a secret keyring, of course, but gpg panics and
# implodes if there isn't one available
GPG_CMD='gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg'
=== modified file 'debian/apt.postinst'
--- debian/apt.postinst 2010-06-09 09:51:21 +0000
+++ debian/apt.postinst 2011-03-30 23:59:01 +0000
@@ -15,7 +15,9 @@
case "$1" in
configure)
- apt-key update
+ if which gpg >/dev/null 2>&1; then
+ apt-key update
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWX3xSpQAAwJfgERQceP//3vH
TAC////wYAY99QAAAAAAAOYTAJgBMJhNMAAAmTTQMcwmATACYTCaYAABMmmgY5hMAmAEwmE0wAAC
ZNNAw1TymSGQZDR6RkAAAGh6mmQAOYTAJgBMJhNMAAAmTTQMJJAIBDIaTJo0TyJkm00o2pmpvVNo
2pEMCN195UQSQbkWOAnBVCR6NDKg4GKYBBiiCFyJyCFIkkp1wudA41Ljk+etJSR+r/c1NbiH2NIw
zJmyzDyEBoOmDJ8iM2SJQaSgygWMTY61DhNqkgLlS8Upisa7FGyp1cyd38vHn4fSA+bitgZgx8xw
eMatPhSnD4bM8Y33m4kW4uOyHW1MbPZ7+6nzEnwedRA0sgOa2HAPYInAbSxfEgpJLkg5qaHbTU4W
jhs2dGarEmZB/TAjkrnagfXg5zsj6H9jAaKWcThYgZnsYQCGBti8kKAnCdligfiMkDireWjjmUgg
YQVCedZIoqEROKDqk9oQrZVRO0egedOhCq8QyCdBX1VSeKT0gtcf7ZIJ0cOv0Xx2DdCh21aA8SBA
JGMi3BS0mmJQycVQ12jl4lh6EAmVji00jiQ+uMZ5VmHmYC9QRUqy6Bt2V1hKpTQTRE3XlSsQbTcW
aTWDx0koG1UKzTB8b2MEGhhaFnc+0qikvxRwsUGswJlxI0mgmFDAYYTEiArXqdc9hMgHJBY4xGxB
thAY6rDgOtvMqBTSFBYEjxE8fTWXNUbAa23EU3PvHkSFB6qImRRBh5LuFuIFkn4FhBOr47aBg40a
LDMrmRyRMgOLi4Pz/ajCZgnPMDkRvZrJHPxVC4TLgVoNO+FGarc9i9nJ5lrzIFo2w17MHEkGBxLo
zLIk8nSvB1tjOcaxwYMWkDPFNQIyCojoZycai6OlwpClAJpSmcQXoJhjsGEeAwbyMQbNMNzGDLew
zJO2H6hkdg8gOCRgck8h8hpHYL6KNEBfqFPSmEy/eodZixIFBhUDXvDab920gZnmE0UPcWQvU1BA
0PZnCxIIHGUs4jMY3EA0jB1FxoLDvNR7/52lt2soud3eHlijuS9uURfOwnmDh6CZEVx+/a7g5i/g
HqfXEFWL2LEBlpRw0ICHy7LhvkbjicTKBau1BQ+K2GYsqeAHcfJWmJ3ngZFYv4FwPkXg3oMOTfpm
VDGnIrXccQTjnnm8b0Afmm2E3DkzcBjdMuOBsOYvQ6jQiJQTjE0CIHexxNSA3qd+ZMM+IuX25dX1
Hu8n4oBhzbiQ+2BZ53jdAhYHPrZXnIIkUuB1l0NC+/b6ThHviWIDVUOSDCB9BMI9yrVI289gHryR
YlyqLADRTGwX4OiKis6hsRmPA2G82nYfA7SAcCoNK6e3oOMjuZGhAeZvRmsULwl9/mgcvuL48M12
sa0yFyAaEC9x+ygSNQob9HkmF/QtYvFP7Xn7CKB3V479fMNxoFQJFEqPHn89ZAetpFhLk+/yAPPP
UMKZy+n8LevQTdd4oI6tyXBB9ytdHBuBzFiA6QvFEmw/5s9571XeyssGGG6CidEH1+CIht3/6Owv
DbEqUx4fZjBBrJsNJSTGbBBAPE4RYDiKUIDmFEviKUQkfETCcwjT+gsDSRS577ztDJndaRJB+RgO
B3CmIkl9lWj0eJiOy5B7h2LeZGwMTgbxbZB9bALCA11WiHkgsLAY3oM6IK33g5LAB4vyJreY4FWe
RAsGE8oqpCm9Gt1gG2UkgYJMDC3Hq/xTFQMm8URxpmi0IADEhTR1Ax9UBckFxXUBVXZFr0pIMxd4
nkgfaeYSmhEXjIByQXmIVFjlZcDgkTrFhJBEiBBIkwpjOCr30en+BIXJAMMb7HljvhpQNgYBITgD
kndvrChva8XkHEiBUgYvyHZDJxrF5PgQKdFEWc1GZ9F/8XckU4UJB98UqUA=
#!/bin/sh
# Copyright © 2011 Software in the Public Interest, Inc.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted. Additionally, permission to
# relicense this software to any OSI approved license is granted.
set -e
KEYRING_NAME=debian-archive-keyring.gpg
TRUSTED_DIR=/etc/apt/trusted.gpg.d
KEYRING_DIR=/usr/share/keyrings
KEYRING_LINK="$TRUSTED_DIR/$KEYRING_NAME"
KEYRING_DIST="$KEYRING_DIR/$KEYRING_NAME"
case "$1" in
configure)
if [ -d "$TRUSTED_DIR" ] &&
[ ! -e "$KEYRING_LINK" ] &&
[ ! -L "$KEYRING_LINK" ] &&
[ -f "$KEYRING_DIST" ]
then
ln -s "$KEYRING_DIST" "$KEYRING_LINK"
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
Reply to: