Am Mittwoch, den 23.10.2019, 13:59 +0200 schrieb Johannes Schauer: > Hi, > > Quoting Benjamin Drung (2019-10-23 13:35:38) > > It is very convenient that building a basic chroot can be done > > without > > specifying a lot of parameters: > > > > $ mmdebstrap buster /tmp/buster.tar.xz > > > > Sadly this call will fail if you build a Debian chroot on Ubuntu or > > an > > Ubuntu chroot on Debian. You can to look up how to specify a > > keyring: > > > > --aptopt='Dir::Etc::Trusted "/usr/share/keyrings/debian-archive- > > keyring.gpg"' > > > > It would be nice if mmdebstrap had a --keyring option for > > specifying the > > keyring file. Maybe it would be nice if mmdebstrap would look for > > the correct > > keyring for Debian and Ubuntu chroots by default. > > Yes, I see the problem. This has not been fixed yet, because I'm not > using any > Debian derivative myself. I wonder what the best way to fix this > would be? > > Adding a --keyring option would save some typing over typing > > --aptopt='Dir::Etc::Trusted > > But it would still require typing the full path. > > You probably can shorten your line above a bit by using: > > --aptopt='Dir::Etc::TrustedParts "/usr/share/keyrings/"' > > But this assumes that /usr/share/keyrings does not contain anything > that you > don't want to validate against. > > If I add a way to automatically choose the right keyring it could > become a bit > non-reliable in the long term because at least Debian keyring files > keep > changing filenames and mmdebstrap would have to catch up with what is > valid for > stable, oldstable and oldoldstable. > > Automatically choosing the keyring also has the disadvantage that > it's not > clear to me how the user should best disable that functionality if > it's not > desired. Lastly, every automatism might create unexpected behaviour. > > Until there is a better solution I think the easiest way right now > for people > who often build cross-distro images, is to let their system apt > (which is the > one used by mmdebstrap) trust the right keys by adding symlinks into > /etc/apt/trusted.gpg.d.
Since automatically choosing the right keyring is non-reliable and adding symlinks into /etc/apt/trusted.gpg.d affects the host system, I like to have a --keyring parameter until there is a better solution found. This --keyring parameter should set the apt option Dir::Etc::Trusted if it points to a file and Dir::Etc::TrustedParts if it points to a directory. I can remember --keyring and find the correct full path without needing to look into a man page. -- Benjamin Drung Debian & Ubuntu Developer Platform Engineering Compute (Enterprise Cloud) 1&1 IONOS SE | Greifswalder Str. 207 | 10405 Berlin | Germany E-mail: benjamin.dr...@cloud.ionos.com | Web: www.ionos.de Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 24498 Vorstand: Dr. Christian Böing, Hüseyin Dogan, Hans-Henning Kettler, Matthias Steinberg, Achim Weiß Aufsichtsratsvorsitzender: Markus Kadelke Member of United Internet
