1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1102630: bookworm-pu: package debian-archive-keyring/2023.3+deb12u2

    From Chris Hofstaedtler@21:1/5 to Jonathan Wiltshire on Mon Apr 28 10:30:01 2025
    XPost: linux.debian.devel.release

    Hi,

    On Fri, Apr 11, 2025 at 09:51:14AM +0100, Jonathan Wiltshire wrote:
    +debian-archive-keyring (2023.3+deb12u2) bookworm; urgency=medium
    +
    + * Remove buster keys

    this broke my "dumat" installation. Now it might be argued that this
    is a bug in dumat, but maybe other things also rely on the keys.

    Specifically, dumat exploded when checking the bullseye-security (!)
    InRelease file as published on deb.debian.org.

    JFTR, dumat calls gpgv for the check:
    gpgv --quiet --weak-digest SHA1 --output --keyring ...
    and then uses the return code to check for success. From what I read
    recently in gpg bug reports, this might not be a robust
    implementation. Nevertheless it worked so far.

    I'm not saying the dumat breakage is a 100% reason to not drop the
    buster keys, but it's a datapoint for further consideration.

    Best,
    Chris

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Helmut Grohne@21:1/5 to Chris Hofstaedtler on Mon Apr 28 17:20:02 2025
    XPost: linux.debian.devel.release

    Hi Chris,

    On Mon, Apr 28, 2025 at 10:24:05AM +0200, Chris Hofstaedtler wrote:
    I'm not saying the dumat breakage is a 100% reason to not drop the
    buster keys, but it's a datapoint for further consideration.

    dumat is doing it wrong. It requires all signatures to be valid, while
    it should be checking for one valid signature. Dropping old keys is
    important as otherwise you could produce a release file with a single
    signature from that old key and it would be considered ok.

    Helmut

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)