From: Earle Martin Date: 12:13 on 05 Jun 2006 Subject: apt-get and some crypto thing root@pulsar:~$ apt-get update [ some output nusked for brevity ] Fetched 38.5kB in 4s (8510B/s) Reading package lists... Done W: GPG error: http://ftp.uk.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F W: You may want to run apt-get update to correct these problems Hmmh. Okay. man apt-get. search for 'gpg': "Pattern not found (press RETURN)". Search for "signature": "Pattern not found (press RETURN)". Search for "key": "Pattern not found (press RETURN)". Same results for "man apt". YOUR PROGRAMMER DIES NOW
From: Earle Martin Date: 12:56 on 05 Jun 2006 Subject: Re: apt-get and some crypto thing On Mon, Jun 05, 2006 at 12:13:10PM +0100, Earle Martin wrote: > W: GPG error: http://ftp.uk.debian.org unstable Release: The following > signatures couldn't be verified because the public key is not available: > NO_PUBKEY 010908312D230C5F > W: You may want to run apt-get update to correct these problems The solution seems to be apt-get install debian-archive-keyring. Would it have been too hard to mention this ANYWHERE IN THE DOCUMENTATION AT ALL rather than sending me grubbing through mailing list archives? For fuck's sake! I mean, try searching the web for that package name. Is there even one page about it? No. Apparently debian-archive-keyring is now supposed to be a pre-req for apt: http://lists.debian.org/deity/2006/01/msg00136.html Well, it didn't fucking work like that for me, nor for the other hundreds or thousands of other people who tried it and ended up having to ask mailing lists or forums for help when presented with the error message. HATE.
From: Rafael Garcia-Suarez Date: 13:02 on 05 Jun 2006 Subject: Re: apt-get and some crypto thing On 05/06/06, Earle Martin <hates-software@xxxxxxxx.xxx> wrote: > Apparently debian-archive-keyring is now supposed to be a pre-req for apt: > http://lists.debian.org/deity/2006/01/msg00136.html Well, but so, why apt didn't upgrade itself, pulling it that new dependency as a side-effect? Some other hateful behaviour?
From: Adeodato =?utf-8?B?U2ltw7M=?= Date: 17:08 on 05 Jun 2006 Subject: Re: apt-get and some crypto thing * Rafael Garcia-Suarez [Mon, 05 Jun 2006 14:02:59 +0200]: > Well, but so, why apt didn't upgrade itself, pulling it that new > dependency as a side-effect? Some other hateful behaviour? Because you're supposed to install recommended packages unless you explicitly know you don't want them. apt recommends debian-archive-keyring, and it's not a hard dependency to avoid the major hate that would be shoving gnupg down the throat of every Debian user on earth.
From: jrodman Date: 21:24 on 05 Jun 2006 Subject: Re: apt-get and some crypto thing On Mon, Jun 05, 2006 at 06:08:35PM +0200, Adeodato Sim?? wrote: > * Rafael Garcia-Suarez [Mon, 05 Jun 2006 14:02:59 +0200]: > > > Well, but so, why apt didn't upgrade itself, pulling it that new > > dependency as a side-effect? Some other hateful behaviour? > > Because you're supposed to install recommended packages unless you explicitly > know you don't want them. apt recommends debian-archive-keyring, and > it's not a hard dependency to avoid the major hate that would be shoving > gnupg down the throat of every Debian user on earth. This isn't really true. Recommended packages are recommended. You're not "supposed" to install them, it's your choice. Recommended points out that to get pieces of functionality you probably should consider those packages. Sometimes the pieces of functionality are things you'll never ever use. debian-archive-keyring is a near-necessity for debian developers. It is the package which includes the gpg/pgp keys of every debian developer. That's a _lot_ of keys. Every debian developer really should have this. No debian user really has any reason to have this. This "solution" is to make all debian users of "testing" and "unstable" pretend that they are developers, more or less, which is par for the course for those branches, because Debian likes to maintain an (increasingly wrong) myth that all users use 'stable'. When I brought this up on #debian, the recommended user procudure became "type in this command sequence", where the command consisted of pulling the key from an arbitrary internet source (unverifiable) into root's personal gpg keyring (where it doesn't belong), and then exporting it from there into the appropriate apt configfile. The hateful thing was of course that I _had_ the gpg key from the past year still installed, but it instantaneously broke on Jan 1. The theory was the package list would still be signed with the old key as well as a new key, allowing a transition. A bug in apt prevented it from being able to handle any key but the first one used to sign. So I could just upgrade apt to fix the problem, only not without breaking the trust model and using `apt --override --do-it-you-punk' Or I could break the trust model and force an install of the new key. Or I could break the... Never once was a solution offered by any part (#debian, the package owner, the bts) which provided a path which did not violate the trust model, leaving you with a cryptographic package transfer system with basically no intact trust. Forever. In any event, the current situation is that apt will spit out confusing (one might say misleading) errors that do much more harm than good if you do not have gpg and the appropriate key. Either these errors should be made so as to not be so amazingly unhelpful, or the gpg and key system should be pulled in automatically. I don't say either is a necessary path, but the choice of one or the other is. Hate. -josh
From: Adeodato =?utf-8?B?U2ltw7M=?= Date: 21:35 on 05 Jun 2006 Subject: Re: apt-get and some crypto thing * jrodman@xxxx.xxxxxxxxxx.xxx [Mon, 05 Jun 2006 13:24:10 -0700]: > This isn't really true. Shrug. > debian-archive-keyring is a near-necessity for debian developers. It is > the package which includes the gpg/pgp keys of every debian developer. > That's a _lot_ of keys. Every debian developer really should have this. > No debian user really has any reason to have this. False. You are talking about the debian-keyring package: 11M debian-keyring_2005.05.28_all.deb 6.0K debian-archive-keyring_2006.01.18_all.deb debian-archive-keyring only contains the keys that are used to sign the archive, which are one for each year. And, TTBOMK, if apt does not Depend: of debian-archive-keyring, it's clearly not because size concerns about the keyring, but because d-a-k pulls gnupg, which pulls a fair amount of dependencies. IMO the solution to this is to create a package that only ships a stripped version of /usr/bin/gpgv, make d-a-k depend on that package instead of gnupg, and then make apt depend on d-a-k, and so half a year ago I requested [1] the creation of such package, because I wanted for this suboptimal situation to be fixed. [1] http://bugs.debian.org/340350 But it's something I can't fix myself, so if you want to express your support for this idea, you can mail 340350@xxxx.xxxxxx.xxx.
Generated at 10:26 on 16 Apr 2008 by mariachi