Re: apt-key remove command always output OK

To: Vipul <finn02+debian@disroot.org>
Cc: deity@lists.debian.org
Subject: Re: apt-key remove command always output OK
From: David Kalnischkies <david@kalnischkies.de>
Date: Wed, 6 May 2020 11:49:21 +0200
Message-id: <[🔎] 20200506094921.auagbzhevjjwws3z@crossbow>
Mail-followup-to: Vipul <finn02+debian@disroot.org>, deity@lists.debian.org
In-reply-to: <[🔎] 48256114-6ae6-0d5a-385b-6e199b0a43a6@disroot.org>
References: <[🔎] 48256114-6ae6-0d5a-385b-6e199b0a43a6@disroot.org>

On Wed, May 06, 2020 at 08:11:15AM +0000, Vipul wrote:
> I noticed, `apt-key remove` command always print "OK" output with
> incorrect fingerprint (keys which don't exist in keyring database). For
> curiosity, I run `sudo apt-key remove` (without providing any
> fingerprint) command, prints "OK" output on terminal. Is this expected
> behavior of apt-key remove?

First of all: Expected behaviour nowadays is that nobody is using
apt-key anymore. It is a bug if you do as we do not ensure that it
is in working condition (aka: gnupg{,2} is installed) and add/remove
functionality is a thousand times better done via cp/mv/rm in
/etc/apt/trusted.gpg.d/.

apt-key and especially the remove part is only there for you to clean up
from versions which did not support that directory yet [it is supported
for a literal decade(!) now…].

Yes, apt-key has some minor remaining usecases for the public like
listing the keys in the trust store and is important for our internal
use, but neither can really be used in scripts.

> $ sudo apt-key remove
> OK

In math you will not get an error if you exclude an element from a set
even if that element was never part of the set to begin with: You get
the result you asked for: A set without that element.

apt-key chooses to work the same way here. That helps in key transitions
I presume as you can in scripts blindly fire a 'remove oldkeyid' without
carefully checking if the key is present at all (which would require
locking and stuff as well…). It also simplifies apt-key code which
wanted to be a very simple gnupg wrapper [but grew into a not so simple
monstrosity to workaround various problems we have with gnupg] which has
the same behaviour.

You could question of course if no parameter is really something which
should be handled in this way, but it is what it is now and changing it
just means breaking it for everyone who depends on that behaviour [0] –
beside, as said above, nobody expect extreme legacy is supposed to use
it still.

[0] https://xkcd.com/1172/

> One more thing, I didn't find any mention of **remove** sub-command in
> apt-key's man page; but do seems like **del** and **remove** are same.
> Why is so?

Hidden aliases which exist since day one of that script apparently.
I suppose it is a way of "doing the right thing™" for a user while
documenting only a single one to have a clear interface for scripts.

Similar to how "apt dist-upgrade" works even through documented is only
"apt full-upgrade".

If this is a good or bad idea can be debated all day long.

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- apt-key remove command always output OK
  - From: Vipul <finn02+debian@disroot.org>

Prev by Date: Bug#959854: apt-mark(8) man page: missing space between "SEE ALSO" items
Next by Date: Processing of apt_2.1.1_source.changes
Previous by thread: apt-key remove command always output OK
Next by thread: Bug#959854: apt-mark(8) man page: missing space between "SEE ALSO" items
Index(es):
- Date
- Thread