Debian Bug report logs - #703431
Annoying GPG error message

version graph

Package: debian-cd; Maintainer for debian-cd is Debian CD Group <debian-cd@lists.debian.org>; Source for debian-cd is src:debian-cd.

Reported by: Robert Spencer <rspencer@lbsd.net>

Date: Tue, 19 Mar 2013 14:45:02 UTC

Severity: normal

Found in version debian-cd/3.1.11

Fixed in version debian-cd/3.1.12

Done: Steve McIntyre <93sam@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Tue, 19 Mar 2013 14:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Robert Spencer <rspencer@lbsd.net>:
New Bug report received and forwarded. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Tue, 19 Mar 2013 14:45:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Robert Spencer <rspencer@lbsd.net>
To: submit@bugs.debian.org
Subject: Annoying GPG error message
Date: Tue, 19 Mar 2013 16:41:08 +0200
[Message part 1 (text/plain, inline)]
Package: debian-cd
Version: 3.1.11

There's a long standing error that I've seen even in on-line official 
Debian CD build logs.

W: GPG error: file: squeeze Release: No keyring installed in 
/home/idms/tmp/apt/squeeze-amd64/apt/trusted.gpg.d/.

Attached please find a patch file that fixes the error.

-- 
Robert Spencer
[Makefile.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Tue, 19 Mar 2013 15:39:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Tue, 19 Mar 2013 15:39:11 GMT) Full text and rfc822 format available.

Message #10 received at 703431@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: Robert Spencer <rspencer@lbsd.net>, 703431@bugs.debian.org
Subject: Re: Bug#703431: Annoying GPG error message
Date: Tue, 19 Mar 2013 15:34:51 +0000
tags 703431 +pending
thanks

On Tue, Mar 19, 2013 at 04:41:08PM +0200, Robert Spencer wrote:
>Package: debian-cd
>Version: 3.1.11
>
>There's a long standing error that I've seen even in on-line official
>Debian CD build logs.
>
>W: GPG error: file: squeeze Release: No keyring installed in
>/home/idms/tmp/apt/squeeze-amd64/apt/trusted.gpg.d/.
>
>Attached please find a patch file that fixes the error.

Cool, looks good. I've applied this in svn straight away, and it'll
make it into the next upload shortly.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I've only once written 'SQL is my bitch' in a comment. But that code 
 is in use on a military site..." -- Simon Booth




Added tag(s) pending. Request was from Steve McIntyre <steve@einval.com> to control@bugs.debian.org. (Tue, 19 Mar 2013 15:39:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Thu, 28 Mar 2013 07:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Thu, 28 Mar 2013 07:45:04 GMT) Full text and rfc822 format available.

Message #17 received at 703431@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Steve McIntyre <steve@einval.com>, 703431@bugs.debian.org
Cc: Robert Spencer <rspencer@lbsd.net>
Subject: Re: Bug#703431: Annoying GPG error message
Date: Thu, 28 Mar 2013 08:42:32 +0100
Hi,

On Tue, 19 Mar 2013, Steve McIntyre wrote:
> On Tue, Mar 19, 2013 at 04:41:08PM +0200, Robert Spencer wrote:
> >There's a long standing error that I've seen even in on-line official
> >Debian CD build logs.
> >
> >W: GPG error: file: squeeze Release: No keyring installed in
> >/home/idms/tmp/apt/squeeze-amd64/apt/trusted.gpg.d/.
> >
> >Attached please find a patch file that fixes the error.
> 
> Cool, looks good. I've applied this in svn straight away, and it'll
> make it into the next upload shortly.

Robert, would it be possible to add some parameters to use something
else than debian-archive-keyring ?

debian-cd ought to be usable to build CD images of Debian derivatives
and they don't reuse debian-archive-keyring, instead they provide their
own keyring package.

Thanks in advance!
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Reply sent to Steve McIntyre <93sam@debian.org>:
You have taken responsibility. (Mon, 01 Apr 2013 03:06:14 GMT) Full text and rfc822 format available.

Notification sent to Robert Spencer <rspencer@lbsd.net>:
Bug acknowledged by developer. (Mon, 01 Apr 2013 03:06:14 GMT) Full text and rfc822 format available.

Message #22 received at 703431-close@bugs.debian.org (full text, mbox):

From: Steve McIntyre <93sam@debian.org>
To: 703431-close@bugs.debian.org
Subject: Bug#703431: fixed in debian-cd 3.1.12
Date: Mon, 01 Apr 2013 03:02:35 +0000
Source: debian-cd
Source-Version: 3.1.12

We believe that the bug you reported is fixed in the latest version of
debian-cd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 703431@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated debian-cd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 01 Apr 2013 02:32:44 +0100
Source: debian-cd
Binary: debian-cd
Architecture: source all
Version: 3.1.12
Distribution: unstable
Urgency: low
Maintainer: Debian CD Group <debian-cd@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Description: 
 debian-cd  - Tools for building (Official) Debian CD set
Closes: 695080 699198 699884 703431 703487 704342
Changes: 
 debian-cd (3.1.12) unstable; urgency=low
 .
   [ Steve McIntyre ]
   * When building source-only discs, cope with having multiple different
     versions of a source package:
     + make_disc_trees.pl now tracks arrays of packages when parsing
       apt-cache output
     + We'll now pull in all the extra packages included in Sources.gz
       because of Built-Using.
   * Add support for Built-Using:
     + tools/sort_deps: parse out Built-Using from Packages files too and
       pass any such data on to tools/merge_package_lists
     + tools/merge_package_lists: if we have any built-using source
       packages listed when doing a combined binary/source set, add them in
       the same way as existing listed sources.
   * Other bug fixes in tools/merge_package_lists:
     + Fix handling of multi-line Binary: fields
     + Print out the accumulated size of source packages in output also
       (fix to printf format string)
   * Update Vcs-Browser
   * Make sure the DEBIAN_KERNEL placeholder in README.* is replaced;
     switch from cpp to sed for that so it works inside quoted
     text. Closes: #699198
   * Deal with syslinux version 5.x needing to install more files for
     bootable x86 media. Thanks to Daniel Baumann for the path.
     Closes: #699884
 .
   [ Raphaël Hertzog ]
   * Update Makefile to set MKISOFS to xorriso by default when building
     images for i386/amd64. Otherwise a build that doesn't set MKISOFS
     and MKISOFS_OPTS fails.
   * Update tools/boot/wheezy/boot-x86 to not look for syslinux's source
     if $ARCHIVE_EXTRACTED_SOURCES is not set and modify CONF.sh
     to not set it by default. That option is only meaningful for
     official builds that result in a copy of the sources on the given URL.
   * Add dosfstools to Recommends since it's required by
     tools/boot/wheezy/boot-x86 for EFI support. It can't be added to Depends
     because it's not available on non-Linux systems.
   * Use debootstrap --no-check-gpg by default since many local mirrors
     are not signed (such as temporary mirrors created by simple-cdd).
 .
   [ Steve McIntyre ]
   * Update boot-mipsel and boot-hppa to use the which_deb script for
     better safety when extracting boot loader files.
   * Update all the relevant boot-* scripts to do the right thing when
     extracting packages and sources, depending on
     $ARCHIVE_EXTRACTED_SOURCES as above
   * Add extra text to boot messages on powerpc to tell people about how to
     select a different desktop. Thanks to Rick Thomas for the
     text. Tweaked slightly to list the default on the current disc too.
 .
   [ Robert Spencer ]
   * Extract debian-archive-keyring when setting up apt to avoid error
     messages about missing keys. Closes: #703431
   * Fix cpp warning in Makefile. Closes: #704342
   * Correct usage of dpkg-architecture to fix errors. Closes: #703487
 .
   [ Steve McIntyre ]
   * Allow for override of DISKINFO base text; Closes: #695080
Checksums-Sha1: 
 8ac24afa72c0fcae860f8141222105ded1dc43c9 1680 debian-cd_3.1.12.dsc
 6e2d87d3191ce7da8dc816608b813551b7adef77 714354 debian-cd_3.1.12.tar.gz
 61c520420cf5210d6e24fb20564ef9f1a0e61df6 725990 debian-cd_3.1.12_all.deb
Checksums-Sha256: 
 f062e079dec9a05f4076b1abb983f5acbad404a3a41690e6da800a84f3ce1be0 1680 debian-cd_3.1.12.dsc
 c086eb4d85ed93e146b57ff448be490b334a470ad001b618d8f7cf53cae9a47c 714354 debian-cd_3.1.12.tar.gz
 81692fa09401269321e89bfd073aabde14c3def7dac3a6c8b1aa1e16d4f23ca2 725990 debian-cd_3.1.12_all.deb
Files: 
 9f1eaa95814efef6d5941d6e702049e3 1680 admin extra debian-cd_3.1.12.dsc
 7f795d5fe3772ce3524c08be29bcb067 714354 admin extra debian-cd_3.1.12.tar.gz
 9417a875fda812554a205afe17a2e4eb 725990 admin extra debian-cd_3.1.12_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRWOcjAAoJEFh5eVc0QmhO0PwP/jKtkxA9xmibciWWaTUrPqCG
jZuI14DjJ0TgPX1oviDl8v3TCuKlCkor/nGUa5sxvwrlMt6y6zRbe4WT1QmxZvGM
26Zkuj6TAunlJRbpxupmWo/BjAlylUUaOhi+7GzyaQ01/JbtCswh2B8NcrRCRZfn
vQddPUYVh8dDCsF0Q6fiFviFAvGibzRZb7uq0HbhJilMlHdavbJUWF0tn+ndm4b1
DOeP1LSY3weqv12gxwSMMjLIVS94sfN9tgskPTIMWWP2lmc3kM34/8IL9YH+Wetu
GGpUnEoXcWulD+ZEfDbfReJdq0Y6MxSTzKL1RWxKs8mXwiAZgBzfMn1onAXi/WWk
t9x2Wbxr0EPXqsAxq7OgnyLkZB5bJbpwZTH2xbcCCO9xu2JaaqdkiMr97wdDCaUt
D7W4gfPFyYvctzmEMDTzUrLMUKSUWrqziAGOnL6ntZM4WjrC2AFZnV9v3nOcHhly
EFa/raE/johEBDOCxN91vHsio4q9rTIsETwTruqqyhpc2Umi4G9yrvJ7aVq/LH3A
FiANvy1wjKKTD73aEm1gWvDJnZ0LbI+EIRoCfYLCL2dEym6yc2uCWqCvl236Rk+l
RQm5blFDweFyu1807FS7evxzAbSIGCw3DC1gCKFPusn10l66z1RK1WRlk5b8TDlz
pdq1tDqkhbu4Hfb/rD7Z
=gv7V
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Wed, 10 Apr 2013 16:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Robert Spencer <rspencer@lbsd.net>:
Extra info received and forwarded to list. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Wed, 10 Apr 2013 16:03:07 GMT) Full text and rfc822 format available.

Message #27 received at 703431@bugs.debian.org (full text, mbox):

From: Robert Spencer <rspencer@lbsd.net>
To: 703431@bugs.debian.org
Cc: Raphael Hertzog <hertzog@debian.org>
Subject: Re: Bug#703431: Annoying GPG error message
Date: Wed, 10 Apr 2013 17:32:37 +0200
[Message part 1 (text/plain, inline)]
On 28/03/2013 09:42, Raphael Hertzog wrote:
> Hi,
>
> On Tue, 19 Mar 2013, Steve McIntyre wrote:
>> On Tue, Mar 19, 2013 at 04:41:08PM +0200, Robert Spencer wrote:
>>> There's a long standing error that I've seen even in on-line official
>>> Debian CD build logs.
>>>
>>> W: GPG error: file: squeeze Release: No keyring installed in
>>> /home/idms/tmp/apt/squeeze-amd64/apt/trusted.gpg.d/.
>>>
>>> Attached please find a patch file that fixes the error.
>>
>> Cool, looks good. I've applied this in svn straight away, and it'll
>> make it into the next upload shortly.
>
> Robert, would it be possible to add some parameters to use something
> else than debian-archive-keyring ?
>
> debian-cd ought to be usable to build CD images of Debian derivatives
> and they don't reuse debian-archive-keyring, instead they provide their
> own keyring package.
>
> Thanks in advance!

Hi,

I don't have a non-Debian system to test it on, but I hope the attached 
patch file meets your requirements (it's for debian-cd 3.1.12).

I have tested it on my build system and the defaults work.

On a related note, should I file a bug on the addition of the following 
line to CONF.sh or just provide another patch?

#export DEBOOTSTRAP_OPTS="--keyring 
/usr/share/keyrings/debian-archive-keyring.gpg"

-- 
Robert Spencer
[Makefile.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Fri, 12 Apr 2013 08:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Fri, 12 Apr 2013 08:57:04 GMT) Full text and rfc822 format available.

Message #32 received at 703431@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Robert Spencer <rspencer@lbsd.net>
Cc: 703431@bugs.debian.org
Subject: Re: Bug#703431: Annoying GPG error message
Date: Fri, 12 Apr 2013 10:54:57 +0200
On Wed, 10 Apr 2013, Robert Spencer wrote:
> I don't have a non-Debian system to test it on, but I hope the
> attached patch file meets your requirements (it's for debian-cd
> 3.1.12).
> 
> I have tested it on my build system and the defaults work.

I applied it. But thinking a bit more about what you did there's
more to improve. First you enable all keyrings in /usr/share/keyrings
which means also /usr/share/keyrings/debian-archive-removed-keys.gpg.
I don't think that we should use this one.

So we should be able to tell that we want to use a specific keyring
and not assume that all those in /usr/share/keyrings/ are OK.

> On a related note, should I file a bug on the addition of the
> following line to CONF.sh or just provide another patch?
> 
> #export DEBOOTSTRAP_OPTS="--keyring
> /usr/share/keyrings/debian-archive-keyring.gpg"

I do not understand your question. That line is already in CONF.sh.

$ grep DEBOOTSTRAP_OPTS CONF.sh 
unset DEBOOTSTRAP_OPTS   || true
#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"

But when you see that line it seems obvious that there's room for improvement
here. Why should we have to specify the keyring file twice, once for APT and
once for debootstrap ?

So IMO we should be able to use only two parameters:

ARCHIVE_KEYRING_PACKAGE=debian-archive-package
ARCHIVE_KEYRING_FILE=/usr/share/keyrings/debian-archive-keyring.gpg

And have debian-cd extract the file and pass it around to APT and debootstrap.
And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
unset it to activate the GPG check at the debootstrap level.

Can you implement this ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Tue, 16 Apr 2013 15:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Robert Spencer <rspencer@lbsd.net>:
Extra info received and forwarded to list. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Tue, 16 Apr 2013 15:27:07 GMT) Full text and rfc822 format available.

Message #37 received at 703431@bugs.debian.org (full text, mbox):

From: Robert Spencer <rspencer@lbsd.net>
To: Raphael Hertzog <hertzog@debian.org>
Cc: 703431@bugs.debian.org
Subject: Re: Bug#703431: Annoying GPG error message
Date: Tue, 16 Apr 2013 17:22:00 +0200
[Message part 1 (text/plain, inline)]
On 12/04/2013 10:54, Raphael Hertzog wrote:
> On Wed, 10 Apr 2013, Robert Spencer wrote:
>> I don't have a non-Debian system to test it on, but I hope the
>> attached patch file meets your requirements (it's for debian-cd
>> 3.1.12).
>>
>> I have tested it on my build system and the defaults work.
>
> I applied it. But thinking a bit more about what you did there's
> more to improve. First you enable all keyrings in /usr/share/keyrings
> which means also /usr/share/keyrings/debian-archive-removed-keys.gpg.
> I don't think that we should use this one.
>
> So we should be able to tell that we want to use a specific keyring
> and not assume that all those in /usr/share/keyrings/ are OK.

Agreed.

>> On a related note, should I file a bug on the addition of the
>> following line to CONF.sh or just provide another patch?
>>
>> #export DEBOOTSTRAP_OPTS="--keyring
>> /usr/share/keyrings/debian-archive-keyring.gpg"
>
> I do not understand your question. That line is already in CONF.sh.

My concern was addressed below.

> $ grep DEBOOTSTRAP_OPTS CONF.sh
> unset DEBOOTSTRAP_OPTS   || true
> #export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
>
> But when you see that line it seems obvious that there's room for improvement
> here. Why should we have to specify the keyring file twice, once for APT and
> once for debootstrap ?
>
> So IMO we should be able to use only two parameters:
>
> ARCHIVE_KEYRING_PACKAGE=debian-archive-package
> ARCHIVE_KEYRING_FILE=/usr/share/keyrings/debian-archive-keyring.gpg
>
> And have debian-cd extract the file and pass it around to APT and debootstrap.
> And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
> unset it to activate the GPG check at the debootstrap level.
>
> Can you implement this ?

Patch file attached. Again it's for debian-cd 3.1.12.

-- 
Robert Spencer
[keyring.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Thu, 18 Apr 2013 12:30:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Thu, 18 Apr 2013 12:30:09 GMT) Full text and rfc822 format available.

Message #42 received at 703431@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Robert Spencer <rspencer@lbsd.net>, 703431@bugs.debian.org
Subject: Re: Bug#703431: Annoying GPG error message
Date: Thu, 18 Apr 2013 14:15:43 +0200
On Tue, 16 Apr 2013, Robert Spencer wrote:
> >And have debian-cd extract the file and pass it around to APT and debootstrap.
> >And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
> >unset it to activate the GPG check at the debootstrap level.
> >
> >Can you implement this ?
> 
> Patch file attached. Again it's for debian-cd 3.1.12.

Thanks, but there's a small misunderstanding left here:

>  # By default we use debootstrap --no-check-gpg to find out the minimal set
>  # of packages because there's no reason to not trust the local mirror. But
>  # you can be paranoid and then you need to indicate the keyring to use to
>  # validate the mirror.
> -#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
> +#export DEBOOTSTRAP_OPTS="--keyring $ARCHIVE_KEYRING_FILE"

This still requires that the keyring be installed on the system whereas
we're already extracting it from the binary package in debian-cd.

So I was suggesting to always pass the --keyring option to debootstrap
but letting it point to the extracted keyring instead of the system-wide
one.

And then CONF.sh would only contain something like this:

# By default we use debootstrap --no-check-gpg to find out the minimal set
# of packages because there's no reason to not trust the local mirror. But
# you can be paranoid and then you need to set DEBOOTSTRAP_OPTS to an
# empty value and indicate the keyring to use with ARCHIVE_KEYRING_PACKAGE
# and ARCHIVE_KEYRING_FILE.
#export DEBOOTSTRAP_OPTS="--no-check-gpg"

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Fri, 19 Apr 2013 10:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Robert Spencer <rspencer@lbsd.net>:
Extra info received and forwarded to list. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Fri, 19 Apr 2013 10:45:07 GMT) Full text and rfc822 format available.

Message #47 received at 703431@bugs.debian.org (full text, mbox):

From: Robert Spencer <rspencer@lbsd.net>
To: Raphael Hertzog <hertzog@debian.org>
Cc: 703431@bugs.debian.org
Subject: Re: Bug#703431: Annoying GPG error message
Date: Fri, 19 Apr 2013 12:40:00 +0200
[Message part 1 (text/plain, inline)]
On 18/04/2013 14:15, Raphael Hertzog wrote:
> On Tue, 16 Apr 2013, Robert Spencer wrote:
>>> And have debian-cd extract the file and pass it around to APT and debootstrap.
>>> And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
>>> unset it to activate the GPG check at the debootstrap level.
>>>
>>> Can you implement this ?
>>
>> Patch file attached. Again it's for debian-cd 3.1.12.
>
> Thanks, but there's a small misunderstanding left here:
>
>>   # By default we use debootstrap --no-check-gpg to find out the minimal set
>>   # of packages because there's no reason to not trust the local mirror. But
>>   # you can be paranoid and then you need to indicate the keyring to use to
>>   # validate the mirror.
>> -#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
>> +#export DEBOOTSTRAP_OPTS="--keyring $ARCHIVE_KEYRING_FILE"
>
> This still requires that the keyring be installed on the system whereas
> we're already extracting it from the binary package in debian-cd.

I'm sorry, I didn't misunderstand you. I made a bad assumption.

I hope the attached patch file is satisfactory.

-- 
Robert Spencer
[keyring.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CD Group <debian-cd@lists.debian.org>:
Bug#703431; Package debian-cd. (Fri, 19 Apr 2013 13:06:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian CD Group <debian-cd@lists.debian.org>. (Fri, 19 Apr 2013 13:06:08 GMT) Full text and rfc822 format available.

Message #52 received at 703431@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Robert Spencer <rspencer@lbsd.net>
Cc: 703431@bugs.debian.org
Subject: Re: Bug#703431: Annoying GPG error message
Date: Fri, 19 Apr 2013 15:04:19 +0200
Hi,

On Fri, 19 Apr 2013, Robert Spencer wrote:
> >This still requires that the keyring be installed on the system whereas
> >we're already extracting it from the binary package in debian-cd.
> 
> I'm sorry, I didn't misunderstand you. I made a bad assumption.
> 
> I hope the attached patch file is satisfactory.

Yes, it's mostly OK. I committed it.

> +# Keyring (defaults):
> +#ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring
> +# The path to the keyring file relative to $TDIR/archive-keyring/
> +#ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg
> +
>  # By default we use debootstrap --no-check-gpg to find out the minimal set
>  # of packages because there's no reason to not trust the local mirror. But
>  # you can be paranoid and then you need to indicate the keyring to use to
>  # validate the mirror.
> -#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
> +#export DEBOOTSTRAP_OPTS="--keyring $TDIR/archive-keyring/$ARCHIVE_KEYRING_FILE"

This hardcodes TDIR and ARCHIVE_KEYRING_FILE in a second parameter and
makes it impossible to do stuff like this (assuming that you have
uncommented DEBOOTSTRAP_OPTS):
$ . CONF.sh
$ export TDIR=/tmp/debian-cd

But I guess it's not a big deal. At least it documents the value that
you're expected to set if you want to use it.

Thanks again!
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 18 May 2013 07:28:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:12:25 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.