Debian Bug report logs - #944109
apt: deprecate /etc/apt/trusted*

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Timo Weingärtner <[email protected]>

To: [email protected]

Cc: [email protected]

Subject: apt: deprecate /etc/apt/trusted*

Date: Mon, 04 Nov 2019 14:27:19 +0100

[Message part 1 (text/plain, inline)]

Package: apt
Version: 1.8.4
Severity: normal

Hallo Ansgar,

04.11.19 09:44 Ansgar:
> Paul Wise writes:
> > On Mon, Nov 4, 2019 at 4:52 AM Guillem Jover <[email protected]> wrote:
> >> The official archive-keyring packages that use these, I think it's mostly
> >> for backwards compatibility reasons.
> > 
> > I wonder if it is feasible to and how the debian-archive-keyring could
> > migrate from /etc/apt/trusted.gpg.d/ to /usr/share/keyrings/ +
> > signed-by. Right now it ships keyrings in both places.
> 
> I would recommend against doing this as long as sources.list is a
> configuration file: it would need regular updates to change to the new
> signing key.  That doesn't work out of the box.

Maybe apt could deprecate /etc/apt/trusted* and apt-key(8) in bullseye and 
abandon them in bullseye+1. The whole concept of having one keyring that 
authenticated all sources is wrong. I had my share in making /etc/apt/
trusted.d possible, but now that we have "Signed-By:" it is the inferior 
solution and thus not needed anymore.

d-i should start to create sources.list with "Signed-By:" right now, #944102 
[1].

apt or debian-archive-keyring could provide a migration script for 
sources.list entries without "Signed-By:" which could — at least for 
origin=Debian — add the correct "Signed-By:" option.


Grüße
Timo

[1] https://bugs.debian.org/944102

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.