-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE REQUEST] pkgrepo should follow current Debian standards #59785
Comments
Just noting that an armoured keyring (e.g.
|
@sagetherage the label says
|
true, I likely need a better label, ATM I am not sure what that would be, exactly. perhaps 'package-repo"? |
moving this out of triage as we will need to follow a standard and for debian packages at least we should follow their standard, this will need to be planned, but moving from triage to planning. |
Removed from the Packaging project since this is about salt code, and not salt's Packages or Repos directly. |
Are there working ways to handle repositories with a separate keyking (signed-by=) in the mean time ? Currently for me, when trying to manually add a [signed-by= ] tag to the name attribute, salt keeps adding a new line to the .list file each time it's called. |
|
Do you think its worth adding a mild warning note to the docs ? Just to perhaps point people in the right direction about how to do it properly ? (e.g. present a workaround snippet in the docs ?) |
This refers only to the |
@eliasp it clearly says at the top of the first paragraph on the page (https://wiki.debian.org/DebianRepository/UseThirdParty):
i.e. the default SHOULD be binary and you CAN provide ascii in addition, NOT instead ! I would also point you to the box on that page that highlights the following statement:
|
Ok, you convinced me… binary it is then. 😄 |
As SaltStack still uses the deprecated `apt-key` tool internally, which will stop working with Ubuntu 20.10, manage the repo key and sources.list file manually instead. See also: - saltstack/salt#59785 - saltstack/salt#59456 This might be reverted at some point in the future, once the deployed Minions are sufficiently modern and include the updated pkgrepo implementation.
According to that man-page, which also clearly says (right at the top) that this utility is deprecated, neither /usr/share/keyrings, nor /etc/apt/keyrings should be used, but /etc/apt/trusted.gpg.d:
Which is (again) in contrast to the wiki page, which says:
The question now is whether to follow the man-page of a deprecated tool or rather the Debian guidelines... |
I already told you previously that you linked to the You should be following the man page in the release of the operating system that you are using, i.e. |
But now I was referring to the bullseye man-page, as linked by you: https://manpages.debian.org/bullseye/apt/apt-key.8.en.html
|
Nobody needs to read any manuals or anything to find where the key is, because it's listed right in sources list with Just make it an optional parameter, and default it to |
I merged in #61760 but I will follow up next week with another PR with these changes. |
K thoughts on this? #62159 |
It's still not quite correct, sorry. It says (in pkgrepo.py):
But, again, this is only half of the truth. The wiki page states (see above):
So the destination directory (and filename) really depends on how the specific key will be managed after its initial creation... |
Since we are using the pkgrepo state to manage the key and not a package it would be /etc/apt/keyrings then. Thats how I understand that statement. |
@dhs-rec there's no possible way for Salt to know the future plans of some other developer. If the user happens to know that it will be package-managed in future, then they can pass |
But the person writing the Salt state knows. There are projects out there which provide keyring packages. In this case one would simply:
In this case the key should go into /usr/share/keyrings, otherwise into /etc/apt/keyrings. |
As @OrangeDog stated you would need to pass in the keydir path. If you are using the |
Yes, sure. |
Closing now that #62159 is merged |
Neither of these have been documented. |
The signedby state arg was removed here: #62215 with an explanation in the PR. |
Oh I see. Thought it was going to be on the state function, given the previous discussion. |
I'm with @OrangeDog . Bit of a weird decision. |
I wonder whether it would make sense to simply write the files in
would become
Options in
See |
It should also be possible to support both formats without breaking anything. For example, if the |
hmm, I would prefer an explicit flag (defaulting to whatever fits backwards compatibility) over magic any day. |
Is your feature request related to a problem? Please describe.
Debian have deprecated
apt-key
and strongly recommended no longer adding third party keys to the global apt trust.Instead, these recommendations should be followed: https://wiki.debian.org/DebianRepository/UseThirdParty
Note that the name of the key file
NAME-archive-keyring.gpg
and sources listNAME.list
should match.Describe the solution you'd like
When the
pkgrepo.managed
state should be able (and ideally prefer) to set up repos according to these specifications.The same should be done when the key is from a keyserver. The file may also require de-armouring if the repo isn't following the new specification.
To make this easier, the current (inconsistent with other backends) behaviour of requiring the
name
to be the verbatim line may need deprecating or otherwise avoiding. For standards-compliant repos it should be as simple as possible, withfile
,key_url
,comps
using the defaults.Describe alternatives you've considered
Doing it manually with
file.managed
states and ignoringpkgrepo
.Additional context
Salt itself echoes this specification in its instructions: https://repo.saltproject.io/#debian
It's a bit paradoxical that it doesn't have the ability to follow it itself.
The text was updated successfully, but these errors were encountered: