Bug#990521: I wonder whether bug #990521 "apt-secure points to apt-key which is deprecated" should get a higher severity

[Andreas Tille <andreas@an3as.eu>]

Hi,

I'm running a (quite) up to date testing and recently I stumbled upon

  $ sudo apt update
  ...
  Err:8 http://fam-tille.de/debian local InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 578A0494D1C646D1
  ...
  W: GPG error: http://fam-tille.de/debian local InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 578A0494D1C646D1
  E: The repository 'http://fam-tille.de/debian local InRelease' is not signed.
  N: Updating from such a repository can't be done securely, and is therefore disabled by default.
  N: See apt-secure(8) manpage for repository creation and user configuration details.


I have some packages for my own use (I mean there is no reason to expect
that someone wants to pull things from there) on my private web page
which I signed with my Debian key.  This was working up to recently with
apt-key.  Since this was not working any more I tried to follow the
advise given in the error message and started reading apt-secure(8)
where I just found a hint to apt-key which is deprecated.

IMHO users who are using third party repositories will get a broken
system after upgrading to Debian 11 and there is no helpful hint given
how to fix it.

BTW, I did some

   apt-key del 578A0494D1C646D1

added my key to /etc/apt/trusted.gpg.d/fam-tille.gpg and added an
according

   [signed-by=/etc/apt/trusted.gpg.d/fam-tille.gpg]

option to the sources.list line ... and it does not yet work.  So I
think it is critical to point to a solution that *really* works.

Due to potential breaking user systems I wonder if someone agrees
with bumping the severity of the bug to serious.

Kind regards

     Andreas.

-- 
http://fam-tille.de