Re: apt-get and some crypto thing

[prev] [thread] [next] [lurker] [Date index for 2006/06/05]

From: jrodman
Subject: Re: apt-get and some crypto thing
Date: 21:24 on 05 Jun 2006
On Mon, Jun 05, 2006 at 06:08:35PM +0200, Adeodato Sim?? wrote:
> * Rafael Garcia-Suarez [Mon, 05 Jun 2006 14:02:59 +0200]:
> 
> > Well, but so, why apt didn't upgrade itself, pulling it that new
> > dependency as a side-effect? Some other hateful behaviour?
> 
> Because you're supposed to install recommended packages unless you explicitly
> know you don't want them. apt recommends debian-archive-keyring, and
> it's not a hard dependency to avoid the major hate that would be shoving
> gnupg down the throat of every Debian user on earth.

This isn't really true.

Recommended packages are recommended.  You're not "supposed" to install
them, it's your choice.  Recommended points out that to get pieces of
functionality you probably should consider those packages.  Sometimes
the pieces of functionality are things you'll never ever use.

debian-archive-keyring is a near-necessity for debian developers.  It is
the package which includes the gpg/pgp keys of every debian developer.
That's a _lot_ of keys.  Every debian developer really should have this.
No debian user really has any reason to have this.  

This "solution" is to make all debian users of "testing" and "unstable"
pretend that they are developers, more or less, which is par for the
course for those branches, because Debian likes to maintain an
(increasingly wrong) myth that all users use 'stable'.  

When I brought this up on #debian, the recommended user procudure became
"type in this command sequence", where the command consisted of pulling
the key from an arbitrary internet source (unverifiable) into root's
personal gpg keyring (where it doesn't belong), and then exporting it
from there into the appropriate apt configfile.

The hateful thing was of course that I _had_ the gpg key from the past
year still installed, but it instantaneously broke on Jan 1.  The theory
was the package list would still be signed with the old key as well as a
new key, allowing a transition.  A bug in apt prevented it from being
able to handle any key but the first one used to sign.

So I could just upgrade apt to fix the problem, only not without
breaking the trust model and using `apt --override --do-it-you-punk'
Or I could break the trust model and force an install of the new key.
Or I could break the... Never once was a solution offered by any part
(#debian, the package owner, the bts) which provided a path which did
not violate the trust model, leaving you with a cryptographic package
transfer system with basically no intact trust.  Forever.

In any event, the current situation is that apt will spit out confusing
(one might say misleading) errors that do much more harm than good if
you do not have gpg and the appropriate key.  Either these errors should
be made so as to not be so amazingly unhelpful, or the gpg and key
system should be pulled in automatically.  I don't say either is a
necessary path, but the choice of one or the other is.

Hate.

-josh
There's stuff above here

Generated at 22:01 on 05 Jun 2006 by mariachi 0.52