[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#968148: /usr/bin/apt-key: Suggestion for manpage and Warning


On Mon, Feb 01, 2021 at 12:42:01PM +0000, Julian Gilbey wrote:
> I just stumbled upon an "Ask Ubuntu" discussion, which has a very
> clear explanation of (at least some of) the reasons for the
> deprecation of apt-key and what to do instead:
> https://askubuntu.com/questions/1286545/what-commands-exactly-should-replace-the-deprecated-apt-key/1300076#1300076
> Logging it here in the hope that it will be of use to others.

It's Julian (juliank) who runs this deprecation and I have close to zero
interest in third party repositories, so I do not want to bud in on
these BUT that linked accepted answer is really not a good answer…
at least scroll a bit down and read the others if you really must.

In my opinion this isn't something a user has to concern itself with
though. The 3rd party repository has to explain how it can be added and
incidently that will be and always was at least slightly different for
all of them as they are all slightly different in what they provide and
how (flat vs. dists repo, binary or ascii key, keyring package or not,
name of components, pinning, …). If a repository has no documentation on
how to properly use it, I at least wouldn't dare to use it… (but I don't
use any, so there is that…).

See e.g. https://wiki.debian.org/DebianRepository/UseThirdParty

That wiki page says APT isn't supporting ASCII armored keys, but it does
nowadays – but as this isn't universally true for all apt versions still
in existence/use it's fine for now to pretend otherwise I guess.

So, not saying that is a good idea, but to achieve what the accepted
answer does without the potential failure modes this has (thanks to
particularities with the invocation of gnupg in different versions –
which might not even be installed but would need to be for apt-key):

$ sudo /usr/lib/apt/apt-helper download-file 'https://download.teamviewer.com/download/linux/signature/TeamViewer2017.asc' /etc/apt/trusted.gpg.d/teamviewer.asc

No, I haven't tried it. This is also not an endorsement of that repo,
that key or adding it to trusted.gpg.d directly. Using apt-helper as
I know that is available while wget/curl/whatever might not. Not that
I wouldn't recommend that either – and please don't ask me for some as
the only I am comfortable giving is "Don't use 3rd party repos" and that
is probably not what anyone reading this wants to hear…

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

Reply to: