[pkg-lxc-devel] Bug#1073132: Bug#1073132: LXC debian template can't find gpg pub keys on Bookworm without network

Eppii eppii at gandi.net
Thu Jun 13 12:02:57 BST 2024


Hello,

Just a comment about backward compatibility bellow:

> On 13 Jun 2024, at 11:40, Pierre-Elliott Bécue <peb at debian.org> wrote:
> 
> Control: severity -1 important
> 
> Hi,
> 
> Thanks for the report.
> 
> Eppii <eppii at gandi.net> wrote on 13/06/2024 at 09:54:47+0200:
> 
>> Package: lxc-templates
>> Version: 3.0.4.48.g4765da8-1
>> 
>> ||/ Name           Version             Architecture Description
>> +++-==============-===================-============-============================================
>> ii  lxc-templates  3.0.4.48.g4765da8-1 amd64        Linux Containers userspace tools (templates)
>> 
>> Hello !
>> 
>> Context: we want to create a lxc with the lxc-debian template on a bookworm server without any access to internet.
>> 
>> We identified three issues preventing to achieve our goal and had to edit the /usr/share/lxc/templates/lxc-debian to succeed.
>> 
>> Description:
>> 
>> The download_debian() function states that it must verify signatures using /etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
>> but since bookworm, debian-archive-keyring install gpg files into the /usr/share/keyrings folder only. See
>> https://packages.debian.org/bookworm/all/debian-archive-keyring/filelist versus bullseye version.
>> 
>> Path lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg does not exist hence it always tries to download
>> from http://ftp-master.debian.org. Which fails on a no internet access server.
>> 
>> A workaround is to add the --keyring /usr/share/keyrings/debian-archive-$release-stable.gpg args to the command as followed:
>> lxc-create -n test -t debian -- --mirror http://mymirror/debian --security-mirror http://mymirror/debian-security  --release bookworm -
>> -keyring /usr/share/keyrings/debian-archive-buster-stable.gpg
> 
> You can also create a symlink as a workaround.
> 
>> A solution would be to modify the line 436 from:
>> -     lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
>> +    lreleasekeyring=/usr/share/keyrings/debian-archive-$release-stable.gpg
> 
> It'll require a bit more flexibility to stay backward compatible. :)

It seems that pub keys lives into /usr/share/keyrings/ from a long time now, and will stay this way in the future; see https://packages.debian.org/buster/all/debian-archive-keyring/filelist

Shouldn’t it source from the beginning into the /usr path?

> 
>> OR install the gpg keys back to etc/apt/trusted.gpg.d/ folder or whatever you see as a better fit ;).
> 
> The motivation behind moving the keys to /usr is that /etc is for sysops to
> maintain configuration/variable parts. These keys are not to be touched,
> so they should go to a place that is not to be touched by sysops.
> 
> I'll design a patch.
> 
> -- 
> PEB

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20240613/1252a890/attachment-0001.htm>


More information about the Pkg-lxc-devel mailing list