Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?

To: Julian Andres Klode <jak@debian.org>
Cc: 1094263@bugs.debian.org
Subject: Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?
From: Samuel Thibault <sthibault@debian.org>
Date: Mon, 27 Jan 2025 20:36:21 +0100
Message-id: <[🔎] Z5fgNeE-GIVRpS8Y@begin>
Reply-to: Samuel Thibault <sthibault@debian.org>, 1094263@bugs.debian.org
In-reply-to: <[🔎] Z5dhx_n3jrmfI_ew@begin>
References: <[🔎] Z5ZYYaqNLYZ5xp_o@begin> <20250127112724.GA3926265@debian.org> <[🔎] Z5dhx_n3jrmfI_ew@begin> <[🔎] Z5ZYYaqNLYZ5xp_o@begin>

Control: reopen -1

Samuel Thibault, le lun. 27 janv. 2025 11:36:56 +0100, a ecrit:
> Julian Andres Klode, le lun. 27 janv. 2025 11:34:16 +0100, a ecrit:
> > On Sun, Jan 26, 2025 at 04:44:33PM +0100, Samuel Thibault wrote:
> > > Are all just plain official Debian archive sources. It's not even
> > > clear which Signed-by I would be supposed to use. Apparently giving
> > > signed-by=/usr/share/keyrings/debian-archive-keyring.gpg does avoid
> > > the warning, but shouldn't that already be some default? As it is now,
> > > upgrading apt will make all users have to add that on *all* their
> > > systems to fix the warning, do we really want that?
> > 
> > Yes, as the notices say upgrade them to deb822 and add the field:
> > 
> >     Types: deb
> >     URIs: http://ftp.fr.debian.org/debian/ http://deb.debian.org/debian/
> >     Suites: sid experimental
> >     Components: main contrib non-free
> >     Signed-By: /usr/share/keyrings/debian-archive-keyring.asc
> 
> Again, do we really want that?
> 
> Really, I fear an *ample* push-back from essentially all our users.
> 
> As it is now, it is also really not documented enough, users will need
> the example described above.
> 
> > The default keyring for sources not specifying Signed-By is
> > /etc/apt/trusted.gpg.d which is being phased out in favour
> > of explicit configuration.
> > 
> > APT cannot know which keyrings to use for sources magically.
> 
> It can automagically try to use the debian-archive keyring, it's meant
> for that...

A discussion on #debian-devel produced the same idea: can't Signed-By
just default to /usr/share/keyrings/debian-archive-keyring.asc?
(+trusted for the moment, and without it when we want to kill it)

(or another path on another distro based on Debian)

That way *most* entries will just continue working, pure debian
systems won't get a worrysome warning about signatures, and only extra
repositories will need something (which I agree is a good thing).

What would be the drawback, when the benefit would be so huge?

I fear that otherwise we will just see plenty of “bah, add
trusted=yes” "tooltips" florish on the web, thus the contrary of the
expected result.

Samuel

Reply to:

References:
- Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?
  - From: Samuel Thibault <sthibault@debian.org>
- Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?
  - From: Samuel Thibault <sthibault@debian.org>

Prev by Date: Processed: Re: Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?
Next by Date: Bug#1094263: marked as done (apt: Do we really want Signed-By for official Debian archive sources?)
Previous by thread: Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?
Next by thread: Processed: Re: Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?
Index(es):
- Date
- Thread