Bug#907290: propellor: Apt.trustsKey should not call apt-key
Sean Whitton writes: > control: tag -1 + confirmed upstream > control: forwarded -1 > https://propellor.branchable.com/todo/Apt.trustsKey_should_not_invoke_apt-key/ > > > What we are talking about here are public keys, and in fact > Apt.trustsKey does not work with any privcontent, but simply with a > String, i.e., it implicitly expects the output of `gpg -a --export` > right there in your config.hs. > > So Apt.trustsKey should be implemented with File.hasContents. > that makes sense to me.
Bug#907290: propellor: Apt.trustsKey should not call apt-key
control: tag -1 + confirmed upstream control: forwarded -1 https://propellor.branchable.com/todo/Apt.trustsKey_should_not_invoke_apt-key/ Hello, On Sat 25 Aug 2018 at 09:29PM -0300, David Bremner wrote: > Prior to upstream commit 1d39a530, Propellor did something like > > (proc "gpg" ["--no-default-keyring", "--keyring", f, "--import", "-"]) > > which created a a gpg keyring, and the format of those changed at some > point to something that apt-key does not support. To fix this breakage > Propeller switched to calling apt-key add, which works, for now, but > it complains, and will probably break at some point. > > According to the apt-key manpage > > "Instead of using this [add] command a keyring should be placed >directly in the /etc/apt/trusted.gpg.d/ directory with a >descriptive name and either "gpg" or "asc" as file extension." > > As far as I can tell, if the privdata is in the right format (which is > always an issue with propellor), no call to gpg should be necessary, > and trustsKey could be implimented e.g. with File.hasPrivContent. What we are talking about here are public keys, and in fact Apt.trustsKey does not work with any privcontent, but simply with a String, i.e., it implicitly expects the output of `gpg -a --export` right there in your config.hs. So Apt.trustsKey should be implemented with File.hasContents. -- Sean Whitton signature.asc Description: PGP signature
Bug#907290: propellor: Apt.trustsKey should not call apt-key
Package: propellor Version: 5.3.6-1 Severity: normal Prior to upstream commit 1d39a530, Propellor did something like (proc "gpg" ["--no-default-keyring", "--keyring", f, "--import", "-"]) which created a a gpg keyring, and the format of those changed at some point to something that apt-key does not support. To fix this breakage Propeller switched to calling apt-key add, which works, for now, but it complains, and will probably break at some point. According to the apt-key manpage "Instead of using this [add] command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension." As far as I can tell, if the privdata is in the right format (which is always an issue with propellor), no call to gpg should be necessary, and trustsKey could be implimented e.g. with File.hasPrivContent. The documentation / --set hints should probably be updated to recommend gpg --export, since (again from the apt-key manpage) "Binary keyring files intended to be used with any apt version should therefore always be created with gpg --export." -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages propellor depends on: ii cabal-install 2.0.0.1-1 ii ghc [libghc-transformers-dev] 8.2.2-4 ii git1:2.18.0-1 ii libc6 2.27-5 ii libffi63.2.1-8 ii libghc-ansi-terminal-dev 0.8.0.2-1 ii libghc-async-dev 2.1.1.1-2 ii libghc-exceptions-dev 0.8.3-8 ii libghc-hashable-dev1.2.7.0-2 ii libghc-hslogger-dev1.2.10+dfsg-4 ii libghc-ifelse-dev 0.85-14 ii libghc-mtl-dev 2.2.2-1 ii libghc-network-dev 2.6.3.5-1 ii libghc-propellor-dev 5.3.6-1 ii libghc-split-dev 0.2.3.3-1 ii libghc-stm-dev 2.4.5.0-1 ii libghc-text-dev1.2.3.0-1 ii libghc-unix-compat-dev 0.5.0.1-1 ii libgmp10 2:6.1.2+dfsg-3 propellor recommends no packages. propellor suggests no packages. -- no debconf information