Debian Bug report logs - #687611
debian-archive-keyring: /usr/share/keyrings/debian-archive-removed-keys.gpg gets modified during squeeze->wheezy upgrade

version graph

Package: apt; Maintainer for apt is APT Development Team <deity@lists.debian.org>; Source for apt is src:apt.

Reported by: Andreas Beckmann <anbe@debian.org>

Date: Fri, 14 Sep 2012 09:36:01 UTC

Severity: important

Tags: patch

Merged with 662948

Found in versions apt/0.8.15.10, apt/0.9.7.7

Fixed in version apt/0.9.10

Done: Michael Vogt <mvo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <packages@release.debian.org>:
Bug#687611; Package debian-archive-keyring. (Fri, 14 Sep 2012 09:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <debian@abeckmann.de>:
New Bug report received and forwarded. Copy sent to Debian Release Team <packages@release.debian.org>. (Fri, 14 Sep 2012 09:36:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <debian@abeckmann.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: debian-archive-keyring: /usr/share/keyrings/debian-archive-removed-keys.gpg gets modified during squeeze->wheezy upgrade
Date: Fri, 14 Sep 2012 11:26:42 +0200
Package: debian-archive-keyring
Version: 2012.4
Severity: important
User: debian-qa@lists.debian.org
Usertags: piuparts

Hi,

I just started running debsums during my piuparts tests to catch
packages that modify conffiles (or any other shipped files), see #687538

A big hitter is debian-archive-keyring because
/usr/share/keyrings/debian-archive-removed-keys.gpg ends up modified
after a squeeze->wheezy upgrade (but is fine after a fresh wheezy
installation)


Andreas



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <packages@release.debian.org>:
Bug#687611; Package debian-archive-keyring. (Fri, 14 Sep 2012 15:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philipp Kern <pkern@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <packages@release.debian.org>. (Fri, 14 Sep 2012 15:39:04 GMT) Full text and rfc822 format available.

Message #10 received at 687611@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Andreas Beckmann <debian@abeckmann.de>, 687611@bugs.debian.org
Cc: deity@lists.debian.org
Subject: Re: Bug#687611: debian-archive-keyring: /usr/share/keyrings/debian-archive-removed-keys.gpg gets modified during squeeze->wheezy upgrade
Date: Fri, 14 Sep 2012 17:36:05 +0200
On Fri, Sep 14, 2012 at 11:26:42AM +0200, Andreas Beckmann wrote:
> I just started running debsums during my piuparts tests to catch
> packages that modify conffiles (or any other shipped files), see #687538
> 
> A big hitter is debian-archive-keyring because
> /usr/share/keyrings/debian-archive-removed-keys.gpg ends up modified
> after a squeeze->wheezy upgrade (but is fine after a fresh wheezy
> installation)

Is it fine after a fresh squeeze installation? The only script that
touches that keyring (and I see the same as you on squeeze→wheezy) is
apt-key. And only if being called as «apt-key update». But I don't see
how the read-only access would modify the keyring and a subsequent «apt-key
update» call with wheezy's apt does not touch it. Maybe gpg does strange
things. Copying deity@.

Kind regards
Philipp Kern



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <packages@release.debian.org>:
Bug#687611; Package debian-archive-keyring. (Fri, 14 Sep 2012 17:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Kalnischkies <kalnischkies+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <packages@release.debian.org>. (Fri, 14 Sep 2012 17:09:08 GMT) Full text and rfc822 format available.

Message #15 received at 687611@bugs.debian.org (full text, mbox):

From: David Kalnischkies <kalnischkies+debian@gmail.com>
To: Philipp Kern <pkern@debian.org>
Cc: Andreas Beckmann <debian@abeckmann.de>, 687611@bugs.debian.org, deity@lists.debian.org
Subject: Re: Bug#687611: debian-archive-keyring: /usr/share/keyrings/debian-archive-removed-keys.gpg gets modified during squeeze->wheezy upgrade
Date: Fri, 14 Sep 2012 19:06:45 +0200
On Fri, Sep 14, 2012 at 5:36 PM, Philipp Kern <pkern@debian.org> wrote:
> Is it fine after a fresh squeeze installation? The only script that
> touches that keyring (and I see the same as you on squeeze→wheezy) is
> apt-key. And only if being called as «apt-key update». But I don't see
> how the read-only access would modify the keyring and a subsequent «apt-key
> update» call with wheezy's apt does not touch it. Maybe gpg does strange
> things. Copying deity@.

apt-key shouldn't modify this keyring; it is only ever "touched" to --list-keys
in it, so it must be gpg doing things here. See #662948 which should probably
be merged with this one.
This report mentions as a result of 'apt-key update':
…
gpg: WARNING: digest algorithm MD5 is deprecated
gpg: please see http://www.gnupg.org/faq/weak-digest-algos.html for
more information
gpg: no ultimately trusted keys found
…

Maybe it is gpg auto-updating the digest even in --list-* commands;
or something completely different. I gave up after being unable to reproduce it.
(Not that I would have a solution, now that I know how to reproduce it …)


Best regards

David Kalnischkies



Changed Bug submitter to 'Andreas Beckmann <anbe@debian.org>' from 'Andreas Beckmann <debian@abeckmann.de>' Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sat, 26 Jan 2013 06:30:50 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <packages@release.debian.org>:
Bug#687611; Package debian-archive-keyring. (Fri, 15 Feb 2013 19:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <anbe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <packages@release.debian.org>. (Fri, 15 Feb 2013 19:39:03 GMT) Full text and rfc822 format available.

Message #22 received at 687611@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <anbe@debian.org>
To: Debian Bug Tracking System <687611@bugs.debian.org>
Subject: Re: debian-archive-keyring: /usr/share/keyrings/debian-archive-removed-keys.gpg gets modified during squeeze->wheezy upgrade
Date: Fri, 15 Feb 2013 20:36:42 +0100
[Message part 1 (text/plain, inline)]
Followup-For: Bug #687611

Hi,

I finally traced the modification of debian-archive-removed-keys.gpg
during squeeze -> wheezy upgrades to 'apt-key update' calling 
'gpg --list-keys' which is not a read-only operation.

Quoting from GPG(1):

  --no-auto-check-trustdb
      If  GnuPG  feels  that  its  information  about the Web
      of Trust has to be updated, it automatically runs the
      --check-trustdb command internally.  This may be a time
      consuming process. --no-auto-check-trustdb disables
      this option.

So let's call gpg with --no-auto-check-trustdb always to get
deterministic behavior ... and explicitly run --check-trustdb during
apt-key update. Do this with a dummy --keyring otherwise all keyrings
could be rewritten.

We cannot use --check-trustdb --batch to skip the update if it is not
needed - gpg thinks it is not needed until we run --list-keys once ...

Maybe we can use --check-trustdb --quiet to suppress the "gpg: no
ultimately trusted keys found" message ...


Raising the severity to RC as having modified keyrings after system
upgrades might make many users suspicious.


Andreas
[687611.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Fri, 15 Feb 2013 19:39:06 GMT) Full text and rfc822 format available.

Bug reassigned from package 'debian-archive-keyring' to 'apt'. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Fri, 15 Feb 2013 19:39:06 GMT) Full text and rfc822 format available.

No longer marked as found in versions debian-archive-keyring/2012.4. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Fri, 15 Feb 2013 19:39:07 GMT) Full text and rfc822 format available.

Marked as found in versions apt/0.9.7.7. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Fri, 15 Feb 2013 19:39:07 GMT) Full text and rfc822 format available.

Added indication that 687611 affects debian-archive-keyring Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Fri, 15 Feb 2013 19:39:08 GMT) Full text and rfc822 format available.

Severity set to 'serious' from 'important' Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Fri, 15 Feb 2013 19:39:08 GMT) Full text and rfc822 format available.

Severity set to 'important' from 'serious' Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Thu, 28 Feb 2013 19:00:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#687611; Package apt. (Wed, 08 May 2013 20:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Beckmann <anbe@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Wed, 08 May 2013 20:51:04 GMT) Full text and rfc822 format available.

Message #41 received at 687611@bugs.debian.org (full text, mbox):

From: Andreas Beckmann <anbe@debian.org>
To: Michael Vogt <mvo@debian.org>
Cc: 699759@bugs.debian.org, 687611@bugs.debian.org
Subject: Re: Bug#699759: apt: score computation may prefer obsolete installed packages over their successors
Date: Wed, 08 May 2013 22:49:39 +0200
On 2013-05-08 21:39, Michael Vogt wrote:
> I merged this into the recent unstable upload and its also available
> in the debian-wheezy branch. Should I do a proposed-updates upload
> with this fix right away or shall we wait a little bit to see how well
> the change works in unstable first?

Thanks for getting this into sid. There is another issue I'd like to
get fixed in wheezy, too, but that needs to be fixed in sid first: #687611

Right now we have after a fresh wheezy install of debian-edu-archive-keyring
(or similar keyrings, as well as on the upgrade paths including these keyring
packages):

0m34.4s INFO: Warning: Package purging left files on system:
  /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg~   not owned
  /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg~      not owned
  /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg~    not owned
  /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg~       not owned

The modification of /usr/share/keyrings/debian-archive-removed-keys.gpg
of course still happens, too.

I verified that a patched apt does the upgrades from squeeze without
and new problems and does fix these bugs.
By now the whole squeeze archive should have gotten an upgrade test with
this patch applied.


Andreas



Marked as found in versions apt/0.8.15.10. Request was from Ariel <asdebian@dsgml.com> to control@bugs.debian.org. (Mon, 15 Jul 2013 06:21:07 GMT) Full text and rfc822 format available.

Added tag(s) unreproducible. Request was from Ariel <asdebian@dsgml.com> to control@bugs.debian.org. (Mon, 15 Jul 2013 06:21:08 GMT) Full text and rfc822 format available.

Merged 662948 687611 Request was from Ariel <asdebian@dsgml.com> to control@bugs.debian.org. (Mon, 15 Jul 2013 06:21:09 GMT) Full text and rfc822 format available.

Removed tag(s) unreproducible. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sat, 27 Jul 2013 23:09:04 GMT) Full text and rfc822 format available.

Reply sent to Michael Vogt <mvo@debian.org>:
You have taken responsibility. (Mon, 12 Aug 2013 21:09:16 GMT) Full text and rfc822 format available.

Notification sent to Andreas Beckmann <anbe@debian.org>:
Bug acknowledged by developer. (Mon, 12 Aug 2013 21:09:16 GMT) Full text and rfc822 format available.

Message #54 received at 687611-close@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: 687611-close@bugs.debian.org
Subject: Bug#687611: fixed in apt 0.9.10
Date: Mon, 12 Aug 2013 21:05:29 +0000
Source: apt
Source-Version: 0.9.10

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 687611@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 12 Aug 2013 21:45:07 +0200
Source: apt
Binary: apt libapt-pkg4.12 libapt-inst1.5 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 0.9.10
Distribution: unstable
Urgency: low
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package management related utility programs
 libapt-inst1.5 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg4.12 - package management runtime library
Closes: 543966 665411 687611 718482 718615 719263 719279
Changes: 
 apt (0.9.10) unstable; urgency=low
 .
   The "Hello to Debconf" upload
 .
   [ Christian Perrier ]
   * Vietnamese translation update. Closes: #718615
   * Japanese translation update. Closes: #719279
 .
   [ Michael Vogt ]
   * work on fixing coverity scan results:
     - fix some off-by-one errors
     - fix some resource leaks
     - fixes in chroot() handling
     - fix some missing va_end()
   * make the code -Wall clean again
   * remove duplicated #include<list>
   * add .travis.yml
   * use the 'abi-complicance-checker' package and remove the buildin
     copy for the abi checks
 .
   [ David Kalnischkies ]
   * ensure that FileFd::Size returns 0 in error cases
   * add missing Turkish (tr) to po/LINGUAS
   * correct management-typo in description found by lintian
   * implement debian/rules build-{arch,indep} as required by policy 3.9.4
   * reenable automatic parallel build of APT
   * exclude config.{sub,guess} from source package
   * update the symbol files to reflect current state
   * unset LANGUAGE for showing [Y/n] answer hints
   * fix some unitialized data members
   * specific pins below 1000 cause downgrades (Closes: 543966)
   * use pkgTagFile to parse "header" of Release files
   * fix: --print-uris removes authentication (Closes: 719263)
   * always use our own trustdb.gpg in apt-key
   * use a tmpfile for trustdb.gpg in apt-key.
     Thanks to Andreas Beckmann for the initial patch! (Closes: #687611)
   * do not double-slash paths in apt-key (Closes: 665411)
   * make the keyring locations in apt-key configurable
   * let apt-key del work better with softlink and single key keyrings
   * do not call 'apt-key update' in apt.postinst
 .
   [ Colin Watson ]
   * prefer native arch over higher priority for providers (Closes: #718482)
Checksums-Sha1: 
 52551ebfc040b0cbc218a33d761e56baa8968ec0 1684 apt_0.9.10.dsc
 4695674bc0a210c74bb0a3deb2f39810c4896225 3360436 apt_0.9.10.tar.gz
 3bbc585725213f40f31051e1d0d2ae4aaff51bb0 264602 apt-doc_0.9.10_all.deb
 d78f9d54593a89979d559cfc96c3440dcdea4aa1 550654 libapt-pkg-doc_0.9.10_all.deb
 917aab673874888c6ca985972bcad24700c2d6cc 712650 libapt-pkg4.12_0.9.10_amd64.deb
 8ee0357f939f6f8247f5cc14bd7ba260cda493e1 156270 libapt-inst1.5_0.9.10_amd64.deb
 426304e48bb0db771a7ca9c04fcf1d528ee3993a 1005310 apt_0.9.10_amd64.deb
 a0568e1b12ae8ee4d14d1c3196cf735b92237dd1 176576 libapt-pkg-dev_0.9.10_amd64.deb
 abae3ec582bd21c14d8a5bc10560c7823b9b7a91 343326 apt-utils_0.9.10_amd64.deb
 309b02b15fd04e6428143123174c19bea8b1211a 111508 apt-transport-https_0.9.10_amd64.deb
Checksums-Sha256: 
 dcf13b289c06265240ff9c2255de8980093cb361931877408eab8f7e842c8676 1684 apt_0.9.10.dsc
 75f0df6d658131fd4b4bcbc4980459935f8d0c9fcdee413b561ccf4b01c16cc8 3360436 apt_0.9.10.tar.gz
 f715afec5a1f94f0faacdbb6692ff18996be8d41b2ec1ce956905c1a08dd967f 264602 apt-doc_0.9.10_all.deb
 0f25edc64a3b5a8fe3b845a430fc2c65d973a522a6facb2853a02a707a081b8a 550654 libapt-pkg-doc_0.9.10_all.deb
 917f4f86f1522b66a82386a255a5ee98d630f00147f470e666809b8401c7a3e6 712650 libapt-pkg4.12_0.9.10_amd64.deb
 750f7c3b4da93508d24e7585f30e56fcb2156641ccde8e0e146ce629efd209ca 156270 libapt-inst1.5_0.9.10_amd64.deb
 ddb19311e3c3ee3478f323c37f893e06939dedd143b100ce13c1726bd902cec7 1005310 apt_0.9.10_amd64.deb
 3515f631a45fa659d008c838e9421bcad1ef1884f18ca2d4624d7178be124cb1 176576 libapt-pkg-dev_0.9.10_amd64.deb
 20a62c6cb9fc99913d0322c024acc26c0b7c833026d348ae712cff38db547c2b 343326 apt-utils_0.9.10_amd64.deb
 bd1230a0004d20699fb25859814ced5d4ef1a76b7567ee7fd7ecc86a5bc52fda 111508 apt-transport-https_0.9.10_amd64.deb
Files: 
 8ee1a0bfd761abb519acd56e818c3191 1684 admin important apt_0.9.10.dsc
 e19f33c0dce34a2df2c7f5daa2d27be6 3360436 admin important apt_0.9.10.tar.gz
 f5114793d45452ddbc8f82e53e609dfc 264602 doc optional apt-doc_0.9.10_all.deb
 9796f980e07467f0a93d581ea78ecae3 550654 doc optional libapt-pkg-doc_0.9.10_all.deb
 a4703ddd1e0c504b23fd8454976406ec 712650 libs important libapt-pkg4.12_0.9.10_amd64.deb
 9138c9e17b6cfb7734aa0407bb7af277 156270 libs important libapt-inst1.5_0.9.10_amd64.deb
 68a9877fa4ed37d8203c18e200fddafc 1005310 admin important apt_0.9.10_amd64.deb
 35ffa03efbe451b1c11c0d82a5494955 176576 libdevel optional libapt-pkg-dev_0.9.10_amd64.deb
 feaaf59ba25f16cc3ff90530e3e05331 343326 admin important apt-utils_0.9.10_amd64.deb
 f070452f577f179cd7291bea100639cc 111508 admin optional apt-transport-https_0.9.10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIJPpQACgkQliSD4VZixzRqrQCfTYchQhIyLCQzXBKs+PjTkv5h
FhMAn17KQqjuVUqyFsEE4N8wLIhURodQ
=fKFk
-----END PGP SIGNATURE-----




Reply sent to Michael Vogt <mvo@debian.org>:
You have taken responsibility. (Mon, 12 Aug 2013 21:09:17 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Mon, 12 Aug 2013 21:09:17 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 02 Oct 2013 07:27:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:37:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.