Re: apt: deprecate /etc/apt/trusted*
On Sat, Nov 09, 2019 at 06:23:04PM +, Colin Watson wrote: > On Sat, Nov 09, 2019 at 12:29:11PM -0500, Roberto C. Sánchez wrote: > > On Mon, Nov 04, 2019 at 02:27:19PM +0100, Timo Weingärtner wrote: > > > Maybe apt could deprecate /etc/apt/trusted* and apt-key(8) in bullseye > > > and > > > abandon them in bullseye+1. The whole concept of having one keyring that > > > authenticated all sources is wrong. I had my share in making /etc/apt/ > > > trusted.d possible, but now that we have "Signed-By:" it is the inferior > > > solution and thus not needed anymore. > > > > What is the earliest version of apt that supports Signed-By in > > sources.list? I scanned the changelog but it was not immediately clear. > > 1.1~exp9. The commit was: > > > https://salsa.debian.org/apt-team/apt/commit/b0d408547734100bf86781615f546487ecf390d9 > Thanks! Regards, -Roberto -- Roberto C. Sánchez
Re: apt: deprecate /etc/apt/trusted*
On Sat, Nov 09, 2019 at 12:29:11PM -0500, Roberto C. Sánchez wrote: > On Mon, Nov 04, 2019 at 02:27:19PM +0100, Timo Weingärtner wrote: > > Maybe apt could deprecate /etc/apt/trusted* and apt-key(8) in bullseye and > > abandon them in bullseye+1. The whole concept of having one keyring that > > authenticated all sources is wrong. I had my share in making /etc/apt/ > > trusted.d possible, but now that we have "Signed-By:" it is the inferior > > solution and thus not needed anymore. > > What is the earliest version of apt that supports Signed-By in > sources.list? I scanned the changelog but it was not immediately clear. 1.1~exp9. The commit was: https://salsa.debian.org/apt-team/apt/commit/b0d408547734100bf86781615f546487ecf390d9 -- Colin Watson [cjwat...@debian.org]
Re: apt: deprecate /etc/apt/trusted*
On Mon, Nov 04, 2019 at 02:27:19PM +0100, Timo Weingärtner wrote: > > Maybe apt could deprecate /etc/apt/trusted* and apt-key(8) in bullseye and > abandon them in bullseye+1. The whole concept of having one keyring that > authenticated all sources is wrong. I had my share in making /etc/apt/ > trusted.d possible, but now that we have "Signed-By:" it is the inferior > solution and thus not needed anymore. > What is the earliest version of apt that supports Signed-By in sources.list? I scanned the changelog but it was not immediately clear. Regards, -Roberto -- Roberto C. Sánchez
apt: deprecate /etc/apt/trusted*
Package: apt Version: 1.8.4 Severity: normal Hallo Ansgar, 04.11.19 09:44 Ansgar: > Paul Wise writes: > > On Mon, Nov 4, 2019 at 4:52 AM Guillem Jover wrote: > >> The official archive-keyring packages that use these, I think it's mostly > >> for backwards compatibility reasons. > > > > I wonder if it is feasible to and how the debian-archive-keyring could > > migrate from /etc/apt/trusted.gpg.d/ to /usr/share/keyrings/ + > > signed-by. Right now it ships keyrings in both places. > > I would recommend against doing this as long as sources.list is a > configuration file: it would need regular updates to change to the new > signing key. That doesn't work out of the box. Maybe apt could deprecate /etc/apt/trusted* and apt-key(8) in bullseye and abandon them in bullseye+1. The whole concept of having one keyring that authenticated all sources is wrong. I had my share in making /etc/apt/ trusted.d possible, but now that we have "Signed-By:" it is the inferior solution and thus not needed anymore. d-i should start to create sources.list with "Signed-By:" right now, #944102 [1]. apt or debian-archive-keyring could provide a migration script for sources.list entries without "Signed-By:" which could — at least for origin=Debian — add the correct "Signed-By:" option. Grüße Timo [1] https://bugs.debian.org/944102 signature.asc Description: This is a digitally signed message part.