[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1094263: marked as done (apt: Do we really want Signed-By for official Debian archive sources?)

Your message dated Mon, 27 Jan 2025 11:34:16 +0100
with message-id <20250127112724.GA3926265@debian.org>
and subject line Re: Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?
has caused the Debian Bug report #1094263,
regarding apt: Do we really want Signed-By for official Debian archive sources?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1094263: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094263
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 2.9.25
Severity: normal

Hello,

In my unstable chroot, I'm now getting

Notice: Missing Signed-By in the sources.list(5) entry for 'http://ftp.fr.debian.org/debian'
Notice: Missing Signed-By in the sources.list(5) entry for 'http://ftp.fr.debian.org/debian'
Notice: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'
Notice: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'
Notice: Missing Signed-By in the sources.list(5) entry for 'http://incoming.debian.org/debian-buildd'
Notice: Missing Signed-By in the sources.list(5) entry for 'http://incoming.debian.org/debian-buildd'
Notice: Consider migrating all sources.list(5) entries to the deb822 .sources format
Notice: The deb822 .sources format supports both embedded as well as external OpenPGP keys
Notice: See apt-secure(7) for best practices in configuring repository signing.

(note: apparently it shouldn't be apt-secure(7), but apt-secure(8) )

These sources:

deb http://ftp.fr.debian.org/debian/ sid main contrib non-free
deb http://ftp.fr.debian.org/debian/ experimental main contrib non-free
deb http://deb.debian.org/debian/ sid main contrib non-free
deb http://deb.debian.org/debian/ experimental main contrib non-free
deb http://incoming.debian.org/debian-buildd buildd-sid main contrib non-free
deb http://incoming.debian.org/debian-buildd buildd-experimental main contrib non-free

Are all just plain official Debian archive sources. It's not even
clear which Signed-by I would be supposed to use. Apparently giving
signed-by=/usr/share/keyrings/debian-archive-keyring.gpg does avoid
the warning, but shouldn't that already be some default? As it is now,
upgrading apt will make all users have to add that on *all* their
systems to fix the warning, do we really want that?

Samuel

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'oldstable-proposed-updates-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 6.13.0 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apt depends on:
ii  adduser                 3.137
ii  base-passwd             3.6.6
ii  debian-archive-keyring  2023.4
ii  libapt-pkg6.0t64        2.9.23
ii  libc6                   2.40-5
ii  libgcc-s1               15-20241220-1
ii  libseccomp2             2.5.5-2
ii  libssl3t64              3.4.0-2
ii  libstdc++6              15-20241220-1
ii  libsystemd0             257.2-1
ii  sqv                     1.2.1-5

Versions of packages apt recommends:
ii  ca-certificates  20241223

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.13-6.1
ii  dpkg-dev        1.22.11
ii  gnupg           2.2.46-1
ii  gnupg1          1.4.23-3
ii  gnupg2          2.2.46-1
ii  powermgmt-base  1.38
ii  synaptic        0.91.4

-- no debconf information

-- 
Samuel
mdiym42: note to self
mdiym42: make sure your cat is not sleeping in the bass drum before you start playing them

--- End Message ---
--- Begin Message --- 
On Sun, Jan 26, 2025 at 04:44:33PM +0100, Samuel Thibault wrote:
> Package: apt
> Version: 2.9.25
> Severity: normal
> 
> Hello,
> 
> In my unstable chroot, I'm now getting
> 
> Notice: Missing Signed-By in the sources.list(5) entry for 'http://ftp.fr.debian.org/debian'
> Notice: Missing Signed-By in the sources.list(5) entry for 'http://ftp.fr.debian.org/debian'
> Notice: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'
> Notice: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'
> Notice: Missing Signed-By in the sources.list(5) entry for 'http://incoming.debian.org/debian-buildd'
> Notice: Missing Signed-By in the sources.list(5) entry for 'http://incoming.debian.org/debian-buildd'
> Notice: Consider migrating all sources.list(5) entries to the deb822 .sources format
> Notice: The deb822 .sources format supports both embedded as well as external OpenPGP keys
> Notice: See apt-secure(7) for best practices in configuring repository signing.
> 
> (note: apparently it shouldn't be apt-secure(7), but apt-secure(8) )
> 
> These sources:
> 
> deb http://ftp.fr.debian.org/debian/ sid main contrib non-free
> deb http://ftp.fr.debian.org/debian/ experimental main contrib non-free
> deb http://deb.debian.org/debian/ sid main contrib non-free
> deb http://deb.debian.org/debian/ experimental main contrib non-free
> deb http://incoming.debian.org/debian-buildd buildd-sid main contrib non-free
> deb http://incoming.debian.org/debian-buildd buildd-experimental main contrib non-free
> 
> Are all just plain official Debian archive sources. It's not even
> clear which Signed-by I would be supposed to use. Apparently giving
> signed-by=/usr/share/keyrings/debian-archive-keyring.gpg does avoid
> the warning, but shouldn't that already be some default? As it is now,
> upgrading apt will make all users have to add that on *all* their
> systems to fix the warning, do we really want that?

Yes, as the notices say upgrade them to deb822 and add the field:

    Types: deb
    URIs: http://ftp.fr.debian.org/debian/ http://deb.debian.org/debian/
    Suites: sid experimental
    Components: main contrib non-free
    Signed-By: /usr/share/keyrings/debian-archive-keyring.asc


    Types: deb
    URIs: http://incoming.debian.org/debian-buildd
    Suites: buildd-sid buildd-experimental
    Components: main contrib non-free
    Signed-By: /usr/share/keyrings/debian-archive-keyring.asc

The notice is designed to encourage adoption of deb822 sources
format. While you can workaround with [signed-by] too so far,
that still leaves you on a legacy sources format and is not
recommended.

The default keyring for sources not specifying Signed-By is
/etc/apt/trusted.gpg.d which is being phased out in favour
of explicit configuration.

APT cannot know which keyrings to use for sources magically.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

--- End Message ---
Reply to: