Bug#1066028: marked as done (apt upgrade /apt-key manual page inconsistency)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 11 Mar 2024 13:14:44 +0100
with message-id <xogko5cer63vrye3wjiphy25wmtguwmpbdkg3bfrfozzmsamfo@tqpixnnaam6g>
and subject line Re: Bug#1066028: apt upgrade /apt-key manual page inconsistency
has caused the Debian Bug report #1066028,
regarding apt upgrade /apt-key manual page inconsistency
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1066028: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066028
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt upgrade /apt-key manual page inconsistency
• From: Roger Wolff <R.E.Wolff@BitWizard.nl>
• Date: Mon, 11 Mar 2024 09:30:17 +0000
• Message-id: <[🔎] 171014941753.1406.12272406820181410304.reportbug@tanky>

Package: apt
Version: 2.6.1
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

I'm installing a package. Instructions told me to run apt update
When I did so, there was an error message. 

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
I did NOT use the apt-key commandline. 

   * What was the outcome of this action?
I was told by apt update to see the apt-key manual page under DEPRICATED
for information on how to proceed with this situation. 

I did so and was told to replace something I didn't type with something
I don't need. As said before: I never used the apt-key commandline. I just 
got the message from apt update. 

   * What outcome did you expect instead?

I expected at least some clear information on how to proceed. Windows users
apparently know that when you get an error message "Router didnot issue an
IP addresss" that something entirely different is going on. 

I'm a stupid Linux user. I expect error messages to point me in the right 
direction. (i.e. "permission denied" when that's the case and not "directory
doesn't exist or  .. or ... (nothing about permissions). 



-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "armhf";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Sandbox "";
APT::Sandbox::User "_apt";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$";
APT::VersionedKernelPackages "";
APT::VersionedKernelPackages:: "linux-.*";
APT::VersionedKernelPackages:: "kfreebsd-.*";
APT::VersionedKernelPackages:: "gnumach-.*";
APT::VersionedKernelPackages:: ".*-modules";
APT::VersionedKernelPackages:: ".*-kernel";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "tasks";
APT::Move-Autobit-Sections "";
APT::Move-Autobit-Sections:: "oldlibs";
APT::Architectures "";
APT::Architectures:: "armhf";
APT::Architectures:: "arm64";
APT::Compressor "";
APT::Compressor::. "";
APT::Compressor::.::Name ".";
APT::Compressor::.::Extension "";
APT::Compressor::.::Binary "";
APT::Compressor::.::Cost "0";
APT::Compressor::zstd "";
APT::Compressor::zstd::Name "zstd";
APT::Compressor::zstd::Extension ".zst";
APT::Compressor::zstd::Binary "zstd";
APT::Compressor::zstd::Cost "60";
APT::Compressor::zstd::CompressArg "";
APT::Compressor::zstd::CompressArg:: "-19";
APT::Compressor::zstd::UncompressArg "";
APT::Compressor::zstd::UncompressArg:: "-d";
APT::Compressor::lz4 "";
APT::Compressor::lz4::Name "lz4";
APT::Compressor::lz4::Extension ".lz4";
APT::Compressor::lz4::Binary "false";
APT::Compressor::lz4::Cost "50";
APT::Compressor::gzip "";
APT::Compressor::gzip::Name "gzip";
APT::Compressor::gzip::Extension ".gz";
APT::Compressor::gzip::Binary "gzip";
APT::Compressor::gzip::Cost "100";
APT::Compressor::gzip::CompressArg "";
APT::Compressor::gzip::CompressArg:: "-6n";
APT::Compressor::gzip::UncompressArg "";
APT::Compressor::gzip::UncompressArg:: "-d";
APT::Compressor::xz "";
APT::Compressor::xz::Name "xz";
APT::Compressor::xz::Extension ".xz";
APT::Compressor::xz::Binary "xz";
APT::Compressor::xz::Cost "200";
APT::Compressor::xz::CompressArg "";
APT::Compressor::xz::CompressArg:: "-6";
APT::Compressor::xz::UncompressArg "";
APT::Compressor::xz::UncompressArg:: "-d";
APT::Compressor::bzip2 "";
APT::Compressor::bzip2::Name "bzip2";
APT::Compressor::bzip2::Extension ".bz2";
APT::Compressor::bzip2::Binary "bzip2";
APT::Compressor::bzip2::Cost "300";
APT::Compressor::bzip2::CompressArg "";
APT::Compressor::bzip2::CompressArg:: "-6";
APT::Compressor::bzip2::UncompressArg "";
APT::Compressor::bzip2::UncompressArg:: "-d";
APT::Compressor::lzma "";
APT::Compressor::lzma::Name "lzma";
APT::Compressor::lzma::Extension ".lzma";
APT::Compressor::lzma::Binary "xz";
APT::Compressor::lzma::Cost "400";
APT::Compressor::lzma::CompressArg "";
APT::Compressor::lzma::CompressArg:: "--format=lzma";
APT::Compressor::lzma::CompressArg:: "-6";
APT::Compressor::lzma::UncompressArg "";
APT::Compressor::lzma::UncompressArg:: "--format=lzma";
APT::Compressor::lzma::UncompressArg:: "-d";
Dir "/";
Dir::State "var/lib/apt";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::netrcparts "auth.conf.d";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trusted "trusted.gpg";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Etc::apt-listchanges-main "listchanges.conf";
Dir::Etc::apt-listchanges-parts "listchanges.conf.d";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::solvers "";
Dir::Bin::solvers:: "/usr/lib/apt/solvers";
Dir::Bin::planners "";
Dir::Bin::planners:: "/usr/lib/apt/planners";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Bin::gzip "/bin/gzip";
Dir::Bin::bzip2 "/bin/bzip2";
Dir::Bin::xz "/usr/bin/xz";
Dir::Bin::lz4 "/usr/bin/lz4";
Dir::Bin::zstd "/usr/bin/zstd";
Dir::Bin::lzma "/usr/bin/xz";
Dir::Media "";
Dir::Media::MountPath "/media/apt";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Log::Planner "eipp.log.xz";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.save$";
Dir::Ignore-Files-Silently:: "\.orig$";
Dir::Ignore-Files-Silently:: "\.distUpgrade$";
Acquire "";
Acquire::AllowInsecureRepositories "0";
Acquire::AllowWeakRepositories "0";
Acquire::AllowDowngradeToInsecureRepositories "0";
Acquire::cdrom "";
Acquire::cdrom::mount "/media/cdrom/";
Acquire::IndexTargets "";
Acquire::IndexTargets::deb "";
Acquire::IndexTargets::deb::Packages "";
Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages";
Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages";
Acquire::IndexTargets::deb::Packages::ShortDescription "Packages";
Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages";
Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages";
Acquire::IndexTargets::deb::Packages::Optional "0";
Acquire::IndexTargets::deb::Translations "";
Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb-src "";
Acquire::IndexTargets::deb-src::Sources "";
Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources";
Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources";
Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources";
Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources";
Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources";
Acquire::IndexTargets::deb-src::Sources::Optional "0";
Acquire::Changelogs "";
Acquire::Changelogs::URI "";
Acquire::Changelogs::URI::Origin "";
Acquire::Changelogs::URI::Origin::Debian "https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";;
Acquire::Changelogs::URI::Origin::Ubuntu "https://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog";;
Acquire::Changelogs::AlwaysOnline "";
Acquire::Changelogs::AlwaysOnline::Origin "";
Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1";
Acquire::PDiffs "0";
Acquire::Languages "";
Acquire::Languages:: "en";
Acquire::Languages:: "none";
Acquire::CompressionTypes "";
Acquire::CompressionTypes::xz "xz";
Acquire::CompressionTypes::bz2 "bzip2";
Acquire::CompressionTypes::lzma "lzma";
Acquire::CompressionTypes::gz "gzip";
Acquire::CompressionTypes::lz4 "lz4";
Acquire::CompressionTypes::zst "zstd";
DPkg "";
DPkg::Path "/usr/sbin:/usr/bin:/sbin:/bin";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -lt 10";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Tools "";
DPkg::Tools::Options "";
DPkg::Tools::Options::/usr/bin/apt-listchanges "";
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20";
Binary "apt-config";
Binary::apt "";
Binary::apt::APT "";
Binary::apt::APT::Color "1";
Binary::apt::APT::Cache "";
Binary::apt::APT::Cache::Show "";
Binary::apt::APT::Cache::Show::Version "2";
Binary::apt::APT::Cache::AllVersions "0";
Binary::apt::APT::Cache::ShowVirtuals "1";
Binary::apt::APT::Cache::Search "";
Binary::apt::APT::Cache::Search::Version "2";
Binary::apt::APT::Cache::ShowDependencyType "1";
Binary::apt::APT::Cache::ShowVersion "1";
Binary::apt::APT::Get "";
Binary::apt::APT::Get::Upgrade-Allow-New "1";
Binary::apt::APT::Get::Update "";
Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1";
Binary::apt::APT::Cmd "";
Binary::apt::APT::Cmd::Show-Update-Stats "1";
Binary::apt::APT::Cmd::Pattern-Only "1";
Binary::apt::APT::Keep-Downloaded-Packages "0";
Binary::apt::DPkg "";
Binary::apt::DPkg::Progress-Fancy "1";
Binary::apt::DPkg::Lock "";
Binary::apt::DPkg::Lock::Timeout "-1";
CommandLine "";
CommandLine::AsString "apt-config dump";

-- (no /etc/apt/preferences present) --


-- (no /etc/apt/preferences.d/* present) --


-- /etc/apt/sources.list --

deb [ arch=armhf ] http://raspbian.raspberrypi.com/raspbian/ bookworm main contrib non-free rpi
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://raspbian.raspberrypi.com/raspbian/ bookworm main contrib non-free rpi

-- /etc/apt/sources.list.d/raspi.list --

deb http://archive.raspberrypi.com/debian/ bookworm main
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
#deb-src http://archive.raspberrypi.com/debian/ bookworm main

-- System Information:
Distributor ID:	Raspbian
Description:	Raspbian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm
Architecture: armv6l

Kernel: Linux 6.1.0-rpi7-rpi-v6 (UP)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                   3.134
ii  gpgv                      2.2.40-1.1
ii  libapt-pkg6.0             2.6.1
ii  libc6                     2.36-9+rpt2+deb12u3
ii  libgcc-s1                 12.2.0-14+rpi1
ii  libgnutls30               3.7.9-2
ii  libseccomp2               2.5.4-1+rpi1+b1
ii  libstdc++6                12.2.0-14+rpi1
ii  libsystemd0               252.17-1~deb12u1+rpi1
ii  raspbian-archive-keyring  20120528.2

Versions of packages apt recommends:
ii  ca-certificates  20230311

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.21.22+rpi1
ii  gnupg                        2.2.40-1.1
pn  powermgmt-base               <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: Roger Wolff <R.E.Wolff@bitwizard.nl>, 1066028-done@bugs.debian.org
• Subject: Re: Bug#1066028: apt upgrade /apt-key manual page inconsistency
• From: David Kalnischkies <david@kalnischkies.de>
• Date: Mon, 11 Mar 2024 13:14:44 +0100
• Message-id: <xogko5cer63vrye3wjiphy25wmtguwmpbdkg3bfrfozzmsamfo@tqpixnnaam6g>
• In-reply-to: <[🔎] 171014941753.1406.12272406820181410304.reportbug@tanky>
• References: <[🔎] 171014941753.1406.12272406820181410304.reportbug@tanky>

On Mon, Mar 11, 2024 at 09:30:17AM +0000, Roger Wolff wrote:
>    * What led up to the situation?
>
> I'm installing a package. Instructions told me to run apt update
> When I did so, there was an error message.

What package, which instructions and what error message?

Debian alone has 70.000+ packages, apt a couple hundred error messages
and "instructions" is too dubious to even assign a ball park number…

So, paraphrasing what you wrote later: how are you expecting that as
an apt developer I apparently know all the details then you send a
message without any.


>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
> I did NOT use the apt-key commandline.

So, I suppose the WARNING message you saw was about the "legacy
trusted.gpg keyring" (no, that isn't the only possible choice)?

And based on what you said before I presume you wanted to install some
package from a third-party repository, which has some instructions you
followed to effectively add their key and also told you to run "apt
update" so that the data from that newly added repo is downloaded and
used?


I don't know the package nor the 3rd-party repo as you haven't told us,
so I don't know what you did wrong based on properly wrong and/or
outdated instructions, but that isn't my nor apts fault and henceforth
not a bug. If anything its a feature reminding people they shouldn't
blindly add old and/or crappy 3rd party repos.


>    * What was the outcome of this action?
> I was told by apt update to see the apt-key manual page under DEPRICATED
> for information on how to proceed with this situation. 
> 
> I did so and was told to replace something I didn't type with something
> I don't need. As said before: I never used the apt-key commandline. I just 
> got the message from apt update. 

Stuff doesn't materialize out of thin air. If you insist on not having
run apt-key, you will have run something similar, perhaps via those
fun things like "wget -O- http://example.org/please-exploit-me | sudo bash".

There are too many ways you could possibly end up here, but all those
ways are wrong. They are either fragile or insecure, usually both.
The manpage gives just one common example, but really it is the job of
the "instructions" you followed to not lead you astray to begin with.


>    * What outcome did you expect instead?
> 
> I expected at least some clear information on how to proceed.

Well, how the "information to proceed" is spelled out changed over the
years, but the underlying message remained the same in the last … 14+
years in which the general advice was not to use apt-key: If you use a
repository that can't be bothered to provide you with issue free usage
instructions, should you really be using that repository?

Sadly, telling people that doesn't help anyone as people usually add
such repos because they (FSVO) need the packages included, but it
serves as a good reminder to all the people who see this message that
apparently the repository was never tested by its creators and
henceforth is equally well supported by them given you also naturally
raised your issues here instead of talking to those creators…


Anyhow, this report started out with insufficient details and even with
guesstimated details added it remains an issue of a third-party that is
unwilling to support its own users. I am therefore closing as not a bug
(in/for Debian).

You may disagree on the closure and reopen, but be prepared to provide
a hell of a lot more details than you initially provided to make your
case sound.


Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

--- End Message ---