Debian Bug report logs - #595428
apt again lost support for Apt::GPGV::TrustedKeyring

version graph

Package: apt; Maintainer for apt is APT Development Team <deity@lists.debian.org>; Source for apt is src:apt.

Reported by: Joey Hess <joeyh@debian.org>

Date: Fri, 3 Sep 2010 20:27:01 UTC

Severity: grave

Found in version apt/0.8.0

Fixed in version apt/0.8.2

Done: Michael Vogt <mvo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#595428; Package apt. (Fri, 03 Sep 2010 20:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to APT Development Team <deity@lists.debian.org>. (Fri, 03 Sep 2010 20:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt again lost support for Apt::GPGV::TrustedKeyring
Date: Fri, 3 Sep 2010 16:24:04 -0400
[Message part 1 (text/plain, inline)]
Package: apt
Version: 0.8.0
Severity: grave

This seems to be a repeat of the situation in #316390, or a failure
to cherry-pick that fix to 0.8.0.

Apt::GPGV::TrustedKeyring is a requirment for d-i to build, at least
as long as /etc/apt/trusted.gpg has permission of 600 on (some, I don't
know why it varies) systems. Daily builds are breaking left and right.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#595428; Package apt. (Fri, 03 Sep 2010 20:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Fri, 03 Sep 2010 20:48:04 GMT) Full text and rfc822 format available.

Message #10 received at 595428@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 595428@bugs.debian.org
Subject: Re: Bug#595428: Acknowledgement (apt again lost support for Apt::GPGV::TrustedKeyring)
Date: Fri, 3 Sep 2010 16:44:28 -0400
[Message part 1 (text/plain, inline)]
So, I guess what's really going on is that Apt::GPGV::TrustedKeyring
was "deprecated", at least at the level of having a comment in the source
to that effect, although there were no deprecation warnings I know of. And
it was removed in 0.8.0. I guess we're supposed to use Dir::Etc::trusted
now, although oddly I have to set that to a keyring file, not a directory.
And it's similarly undocumented.

BTW I noticed that apt still contains this: 

./cmdline/apt-key:	eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#595428; Package apt. (Sat, 04 Sep 2010 08:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Kalnischkies <kalnischkies+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 04 Sep 2010 08:27:03 GMT) Full text and rfc822 format available.

Message #15 received at 595428@bugs.debian.org (full text, mbox):

From: David Kalnischkies <kalnischkies+debian@gmail.com>
To: Joey Hess <joeyh@debian.org>, 595428@bugs.debian.org
Subject: Re: Bug#595428: apt again lost support for Apt::GPGV::TrustedKeyring
Date: Sat, 4 Sep 2010 10:25:33 +0200
[Message part 1 (text/plain, inline)]
Hi,

2010/9/3 Joey Hess <joeyh@debian.org>:
> This seems to be a repeat of the situation in #316390, or a failure
> to cherry-pick that fix to 0.8.0.

Same shit, different cause.
The ongoing process in making apt-key obsolete resulted
in an interesting divergence in the option used and understand
in apt-key vs. libapt… this time is libapt the fault… *sign*

You can fix this easily by setting Dir::Etc::Trusted to the same
value as APT::GPGV::TrustedKeyring - the code in libapt which
should have done this does it unfortunately too early…


> Apt::GPGV::TrustedKeyring is a requirment for d-i to build, at least
> as long as /etc/apt/trusted.gpg has permission of 600 on (some, I don't
> know why it varies) systems. Daily builds are breaking left and right.

I honestly don't know why 600 - APT doesn't seem to set a mod on it
so it should be gpg at the time the first keyring is inserted…


Best regards

David Kalnischkies
[apt-fix-trustedkeyring.diff (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#595428; Package apt. (Sat, 04 Sep 2010 08:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Kalnischkies <kalnischkies+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 04 Sep 2010 08:51:06 GMT) Full text and rfc822 format available.

Message #20 received at 595428@bugs.debian.org (full text, mbox):

From: David Kalnischkies <kalnischkies+debian@gmail.com>
To: Joey Hess <joeyh@debian.org>, 595428@bugs.debian.org
Subject: Re: Bug#595428: Acknowledgement (apt again lost support for Apt::GPGV::TrustedKeyring)
Date: Sat, 4 Sep 2010 10:49:00 +0200
mhh, missed that mail on first look…

2010/9/3 Joey Hess <joeyh@debian.org>:
> So, I guess what's really going on is that Apt::GPGV::TrustedKeyring
> was "deprecated", at least at the level of having a comment in the source
> to that effect, although there were no deprecation warnings I know of. And

The thing is, the comment says it should be removed at the place the
setting should be interpreted (and does it now after the patch) but in 0.8
the interpretation is even before the loading of the config files…
complete bogus. So while i think we should get right of
Apt::GPGV::TrustedKeyring as it doesn't fit into the rest of configuration
(setting Dir and Dir::Etc differently doesn't effect it at all, but should),
it should be still supported in wheezy…

> it was removed in 0.8.0. I guess we're supposed to use Dir::Etc::trusted
> now, although oddly I have to set that to a keyring file, not a directory.

I don't understand what you mean, TrustedKeyring wanted also a file…?

> And it's similarly undocumented.

The apt-key manpage mentions the keyring files and the options to
set them to a non-default file. Well hidden, but existing. ;)
In the future it should be maybe added to apt-secure as well…

>
> BTW I noticed that apt still contains this:
>
> ./cmdline/apt-key:      eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)

As said, libapt and apt-key disagree on which options they interpret…
I will try to fix this now, with the hope that in wheezy apt-key will be
obsolete (i can't mention that to often :) ).


Best regards

David Kalnischkies




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#595428; Package apt. (Sat, 04 Sep 2010 18:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 04 Sep 2010 18:33:06 GMT) Full text and rfc822 format available.

Message #25 received at 595428@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: David Kalnischkies <kalnischkies+debian@gmail.com>
Cc: 595428@bugs.debian.org
Subject: Re: Bug#595428: apt again lost support for Apt::GPGV::TrustedKeyring
Date: Sat, 4 Sep 2010 14:31:39 -0400
[Message part 1 (text/plain, inline)]
David Kalnischkies wrote:
> You can fix this easily by setting Dir::Etc::Trusted to the same
> value as APT::GPGV::TrustedKeyring - the code in libapt which
> should have done this does it unfortunately too early…

Yes, I've done so in d-i svn. 

I assume getting apt 0.8.0 into testing is not currently in the cards.
It should at least not get in before the next d-i upload. Up to you
whether you leave this bug RC or not.

(/etc/apt/trusted.gpg)
> I honestly don't know why 600 - APT doesn't seem to set a mod on it
> so it should be gpg at the time the first keyring is inserted…

gpg does make keyrings 600 by default. On older systems, the file was
created by something else, so its mode can vary. I think that is a bug
by itself -- it should be possible for regular users to verify things
against the system's apt's trust keyring. The only reason d-i's build
overrides the keyring in the first place, really, is because the
build process does not run as root.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#595428; Package apt. (Sat, 04 Sep 2010 18:36:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 04 Sep 2010 18:36:07 GMT) Full text and rfc822 format available.

Message #30 received at 595428@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: David Kalnischkies <kalnischkies+debian@gmail.com>
Cc: 595428@bugs.debian.org
Subject: Re: Bug#595428: Acknowledgement (apt again lost support for Apt::GPGV::TrustedKeyring)
Date: Sat, 4 Sep 2010 14:33:51 -0400
[Message part 1 (text/plain, inline)]
David Kalnischkies wrote:
> > it was removed in 0.8.0. I guess we're supposed to use Dir::Etc::trusted
> > now, although oddly I have to set that to a keyring file, not a directory.
> 
> I don't understand what you mean, TrustedKeyring wanted also a file…?

It did. I was misled by the "Dir" in "Dir::Etc" to assume it was
meant to configure a directory.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#595428; Package apt. (Sat, 04 Sep 2010 21:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Kalnischkies <kalnischkies+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 04 Sep 2010 21:45:04 GMT) Full text and rfc822 format available.

Message #35 received at 595428@bugs.debian.org (full text, mbox):

From: David Kalnischkies <kalnischkies+debian@gmail.com>
To: Joey Hess <joeyh@debian.org>
Cc: 595428@bugs.debian.org
Subject: Re: Bug#595428: apt again lost support for Apt::GPGV::TrustedKeyring
Date: Sat, 4 Sep 2010 23:43:29 +0200
[Message part 1 (text/plain, inline)]
2010/9/4 Joey Hess <joeyh@debian.org>:
> David Kalnischkies wrote:
> I assume getting apt 0.8.0 into testing is not currently in the cards.
> It should at least not get in before the next d-i upload. Up to you
> whether you leave this bug RC or not.

0.8.0 is already in testing since yesterday after 9 days of transition…
Michael prepared also a 0.8.1 bugfix release yesterday, maybe we should
get a fixed 0.8.2 armed and ready for testing a bit faster than usual,
lets see what we can do on Monday…


> (/etc/apt/trusted.gpg)
>> I honestly don't know why 600 - APT doesn't seem to set a mod on it
>> so it should be gpg at the time the first keyring is inserted…
>
> gpg does make keyrings 600 by default. On older systems, the file was
> created by something else, so its mode can vary. I think that is a bug
> by itself -- it should be possible for regular users to verify things
> against the system's apt's trust keyring. The only reason d-i's build
> overrides the keyring in the first place, really, is because the
> build process does not run as root.

So, do you would recommend that APT ensures that the file has 644
instead as it does for other files it works with?


Best regards

David Kalnischkies
[apt-fix-trustedkeyring.diff (text/x-patch, attachment)]

Reply sent to Michael Vogt <mvo@debian.org>:
You have taken responsibility. (Tue, 07 Sep 2010 07:21:09 GMT) Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. (Tue, 07 Sep 2010 07:21:09 GMT) Full text and rfc822 format available.

Message #40 received at 595428-close@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: 595428-close@bugs.debian.org
Subject: Bug#595428: fixed in apt 0.8.2
Date: Tue, 07 Sep 2010 07:17:13 +0000
Source: apt
Source-Version: 0.8.2

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

apt-doc_0.8.2_all.deb
  to main/a/apt/apt-doc_0.8.2_all.deb
apt-transport-https_0.8.2_i386.deb
  to main/a/apt/apt-transport-https_0.8.2_i386.deb
apt-utils_0.8.2_i386.deb
  to main/a/apt/apt-utils_0.8.2_i386.deb
apt_0.8.2.dsc
  to main/a/apt/apt_0.8.2.dsc
apt_0.8.2.tar.gz
  to main/a/apt/apt_0.8.2.tar.gz
apt_0.8.2_i386.deb
  to main/a/apt/apt_0.8.2_i386.deb
libapt-pkg-dev_0.8.2_i386.deb
  to main/a/apt/libapt-pkg-dev_0.8.2_i386.deb
libapt-pkg-doc_0.8.2_all.deb
  to main/a/apt/libapt-pkg-doc_0.8.2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 595428@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Sep 2010 18:10:06 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all i386
Version: 0.8.2
Distribution: unstable
Urgency: low
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-transport-https - APT https transport
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 523919 595428 595557 595691
Changes: 
 apt (0.8.2) unstable; urgency=low
 .
   [ Manpages translations ]
   * Spanish (Omar Campagne). Closes: #595557
 .
   [ David Kalnischkies ]
   * apt-pkg/versionmatch.cc:
     - do not accept 'Pin: origin "' (missing closing ") as a valid
       way to pin a local archive: either "" or none…
   * apt-pkg/deb/dpkgpm.cc:
     - create Dir::Log if needed to support /var/log as tmpfs or similar,
       inspired by Thomas Bechtold, thanks! (Closes: #523919, LP: #220239)
   * apt-pkg/indexcopy.cc:
     - support really still the APT::GPGV::TrustedKeyring setting,
       as it breaks d-i badly otherwise (Closes: #595428)
   * cmdline/apt-key:
     - support also Dir::Etc::Trusted so that apt-key works in the same
       way as the library part which works with the trusted files
   * methods/{gzip,bzip2}.cc:
     - empty files can never be valid archives (Closes: #595691)
Checksums-Sha1: 
 f6c0cb1eca0eb01c2e6c4ea06fe92cf98ec4a75d 1282 apt_0.8.2.dsc
 b6efe28aa762616cde7a055fbb5bea849fa548bf 3048455 apt_0.8.2.tar.gz
 0b2ae8036ee91bba69e3193d994767073bd5feb4 202894 apt-doc_0.8.2_all.deb
 e9f0eb677c4f427f470c0cbb67824b5efd5c44c1 688290 libapt-pkg-doc_0.8.2_all.deb
 24859da4c730cc54983a7ccbadb6eb1096c64ee8 2040782 apt_0.8.2_i386.deb
 1b97d3b5602cb7d76f1d5739a50af8d06501a0f6 148456 libapt-pkg-dev_0.8.2_i386.deb
 59f605fbdc36416c330574b84db28b1f00570b69 257076 apt-utils_0.8.2_i386.deb
 5560a040b7991fcae84a65cd6cf9411e77090415 80314 apt-transport-https_0.8.2_i386.deb
Checksums-Sha256: 
 600677a5250f64ed2ad1d4aa2560cdfb75bb7e7f72e65a5e0811b26886ca369e 1282 apt_0.8.2.dsc
 e578816160d8cfa30d6b6d68b607696b3c6ba9d9444cf2fc03c368d9570036ff 3048455 apt_0.8.2.tar.gz
 a206ffa1e252b054dc40a19ff73ef0ca50741ef9fc330cd12b0be3d265753c5f 202894 apt-doc_0.8.2_all.deb
 01447f23367f8e0737d9f0091acb66713c5f11fa6434c6558b474d396ec363af 688290 libapt-pkg-doc_0.8.2_all.deb
 3a0d4440a6d9321683bef02aa4d4327f72a456f3cb8c02b388d3f13d9c30929c 2040782 apt_0.8.2_i386.deb
 7695fd93dec6a06c4d646fa798a6f21ecd48e8704f114d6c148f7cc51942b20c 148456 libapt-pkg-dev_0.8.2_i386.deb
 001d718ac7bdce08b9ecfa9e10241e37bcf1f77dd8e33150e2d77c2be73615b4 257076 apt-utils_0.8.2_i386.deb
 f1a9686ae78b3dc3baf8a25b384f6404df1ad053680399fb6da4362e438e9e01 80314 apt-transport-https_0.8.2_i386.deb
Files: 
 51fd12d679c893ca207293f8b5f80338 1282 admin important apt_0.8.2.dsc
 7f53488b016e98a4327ac578b62e2f3c 3048455 admin important apt_0.8.2.tar.gz
 da9ab700c9e4a2026ebd29362816b8dc 202894 doc optional apt-doc_0.8.2_all.deb
 85ba1e167c9a682d5f98908a584a2f9b 688290 doc optional libapt-pkg-doc_0.8.2_all.deb
 26d647aa0bc8939e1b4ed8639e8d87fc 2040782 admin important apt_0.8.2_i386.deb
 c639227003299c981fde8fd6ba339a04 148456 libdevel optional libapt-pkg-dev_0.8.2_i386.deb
 aee8808156cbc04bf22e8e9bc4c84cea 257076 admin important apt-utils_0.8.2_i386.deb
 038a483983836dce58caa861e3085b4a 80314 admin optional apt-transport-https_0.8.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyFH4cACgkQliSD4VZixzSoLQCfeTTk/9m1vgmF3gwyY47dH2eE
qlwAoJcyhzSuvy2j8IM1r9Hh/uKNMU30
=uiYB
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Oct 2010 07:31:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 10:50:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.