Bug#1094263: closed by Julian Andres Klode <jak@debian.org> (Re: Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?)

To: 1094263@bugs.debian.org
Subject: Bug#1094263: closed by Julian Andres Klode <jak@debian.org> (Re: Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?)
From: Samuel Thibault <sthibault@debian.org>
Date: Mon, 27 Jan 2025 23:38:41 +0100
Message-id: <[🔎] Z5gK8cAb47yTUcwg@begin>
Reply-to: Samuel Thibault <sthibault@debian.org>, 1094263@bugs.debian.org
In-reply-to: <handler.1094263.D1094263.17380127011010630.notifdone@bugs.debian.org>
References: <20250127211151.GA47509@debian.org> <[🔎] Z5ZYYaqNLYZ5xp_o@begin> <handler.1094263.D1094263.17380127011010630.notifdone@bugs.debian.org> <[🔎] Z5ZYYaqNLYZ5xp_o@begin>

Wow...

I'm sorry my mail triggered so much reaction.

I'm however afraid I'm here just expressing the concern that people will
have in general.

Really, I'm trying to expose things that I believe will only appear very
strongly whenever the new apt hits testing, and trying to expose that
*before* that happens and the mob shows up.

Julian wrote:
> I have just spent about 9 hours non-stop without any food implementing
> a command to simplify the transition for users

I'm sorry this is taking you at a very wrong time :/

>From what was visible from the outside, it was really not clear that
such a transition command was on its way.

> I have asserted that what you are asking for does not
> make sense. By reopening your bug and asking the same
> thing again, you are questioning my integrity.

No, rather, that I didn't understand why it does not make sense, and
thus the bug entry still deserves explanations/rationale.

> 0. The new .sources format was introduced almost 10 years

I didn't even know it was there for so long.

> After 10 years, I believe we are at the point where
> telling people that *still* have not migrated is right,

But people weren't even aware that signed-by would need to be added even
for the main archive (I'm sorry, but no, a debconf talk does not work as
an announcement)

> The DebConf 22 talk explicitly gives a timeline for
> signing changes:

I looked back at the video, I believe it was really not clear there that
the archive key would *have* to set too.

Btw, also seen in the talk along the way: thanks so much for the smart
kernel autoremoval work, it's so useful!

> and we can't be held accountable for the inaction of
> other maintainers. We have tried for years to get them
> moving, but eventually enough _must_ be enough, and we
> must use the only means remaining: technical means.

I see that the apt-setup request has been sitting for a long time for
instance. But debian-boot also has a lot to care for and way too few
people to tackle it. Best way of action there is not the stick, but the
carot: proposing a patch.

> I believe that the reaction here is over-proportional,

My reaction? I believe it's really soft compared to the reaction
that I fear from our users after such a technical mean without the
modernize-sources command.

> it's the classic "hate mob" mentality of trying to
> shove your opinion down by relentlessly attacking

"Relentless" with just 3 mails and one re-open?

> But I admit that the messages in APT are somewhat
> verbose. I believe the reduction to a single notice
> pointing users at a chance to "modernize their sources"
> rather than a notice complaining about missing signed-by
> will substantially alleviate concerns.

Yes. It's really the series of signed-by lines warnings that poses most
problem.

The example I gave in the report was a simple chroot.
On my main box, with the new apt version I'm getting 21 warnings just
for signed-by. With the deb822 warnings that just fills up my terminal
completely.

> > A discussion on #debian-devel produced the same idea: can't Signed-By
> > just default to /usr/share/keyrings/debian-archive-keyring.asc?
> > (+trusted for the moment, and without it when we want to kill it)
> > 
> > (or another path on another distro based on Debian)
> > 
> > That way *most* entries will just continue working, pure debian
> > systems won't get a worrysome warning about signatures, and only extra
> > repositories will need something (which I agree is a good thing).
> > 
> > What would be the drawback, when the benefit would be so huge?
> 
> This is not correct.
> 
> As you are well aware, APT maintains rigorous backwards compatibility,
> therefore we do not simply want to disable trusted.gpg.d support.
> 
> ## Theorem: Implicit signed-by requires breaking repositories
> 
> If we wanted an implicit default Signed-By, we would no
> longer be able to have that fallback,

That's why I mentioned "+trusted". Is that really not possible to
implement?

> Proof. This doesn't take an expert to consider: If we automatically
> fell back from an implicit Signed-By to the globak keyring,
> still any key in the global keyring can sign the repository
> - we do not gain any security/safety.

But isn't the distribution archive keyring (I'm not talking about more
than that keyring) exactly what is supposed to be trusted from the start
anyway?

> ## Theorem: Impliced Signed-By must be hardcoded in APT code.
> 
> Proof. Consider the implicit Signed-By value was not hardcoded,
> and therefore configurable; keyring packages and end users could
> just configure additional keyrings via etc. apt.conf.d snippets
> - this is just an obfuscation of the trusted.gpg.d method.

Only if it's easy to extend the configuration. If the configuration item
is a value that can only be replaced completely, people won't be able to
easily replace a trusted.gpg.d method through configuration add-ons.

And if people really put their dozen keyrings in that single
configuration item, well too bad for them, they might as well just have
not bothered and set trusted=yes, we can't prevent people from shooting
themselves in the foot.

> ## Uniformity
> 
> Please also consider the implementers of tools working with APT
> sources, as well as end users. Having to special-case some repositories
> rather than having a uniform handling is detrimental to their
> experience, as they need to implement/consider the same logic.

The archive which was used to install the system *is* special. It does
make sense to user that it's a particular thing that provides most of
the packages, notably.

> > I fear that otherwise we will just see plenty of “bah, add
> > trusted=yes” "tooltips" florish on the web, thus the contrary of the
> > expected result.
> 
> I have specifically considered that today while working on
> the modernize-sources branch, and the result is that 'trusted=yes'
> must *NOT* remove the notice.

Ok.

> I believe that the work I poured my heart and soul into today,
> to total exhaustion and the detriment of my health, to introduce
> the `apt modernize-sources` command will significantly reduce
> the friction of the transition.

Thanks a lot for this! It was really not clear from the warnings and
documentations that it was happening.

Again, sorry that this triggered so much suffering, only trying to help
avoiding a mob reaction.
Samuel

Reply to:

References:
- Bug#1094263: apt: Do we really want Signed-By for official Debian archive sources?
  - From: Samuel Thibault <sthibault@debian.org>

Prev by Date: Bug#1094263: marked as done (apt: Do we really want Signed-By for official Debian archive sources?)
Next by Date: Processing of python-apt_2.9.7_source.changes
Previous by thread: Bug#1094263: marked as done (apt: Do we really want Signed-By for official Debian archive sources?)
Next by thread: Processed: close more old wontfixed bugs
Index(es):
- Date
- Thread