Bug#1073132: [pkg-lxc-devel] Bug#1073132: LXC debian template can't find gpg pub keys on Bookworm without network

Thu, 13 Jun 2024 02:45:12 -0700 

Control: severity -1 important

Hi,

Thanks for the report.

Eppii <ep...@gandi.net> wrote on 13/06/2024 at 09:54:47+0200:

> Package: lxc-templates
> Version: 3.0.4.48.g4765da8-1
>
> ||/ Name           Version             Architecture Description
> +++-==============-===================-============-============================================
> ii  lxc-templates  3.0.4.48.g4765da8-1 amd64        Linux Containers 
> userspace tools (templates)
>
> Hello !
>
> Context: we want to create a lxc with the lxc-debian template on a bookworm 
> server without any access to internet.
>
> We identified three issues preventing to achieve our goal and had to edit the 
> /usr/share/lxc/templates/lxc-debian to succeed.
>
> Description:
>
> The download_debian() function states that it must verify signatures using 
> /etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
> but since bookworm, debian-archive-keyring install gpg files into the 
> /usr/share/keyrings folder only. See
> https://packages.debian.org/bookworm/all/debian-archive-keyring/filelist 
> versus bullseye version.
>
> Path 
> lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg 
> does not exist hence it always tries to download
> from http://ftp-master.debian.org. Which fails on a no internet access server.
>
> A workaround is to add the --keyring 
> /usr/share/keyrings/debian-archive-$release-stable.gpg args to the command as 
> followed:
>  lxc-create -n test -t debian -- --mirror http://mymirror/debian 
> --security-mirror http://mymirror/debian-security  --release bookworm -
> -keyring /usr/share/keyrings/debian-archive-buster-stable.gpg

You can also create a symlink as a workaround.

> A solution would be to modify the line 436 from:
> -     
> lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
> +    lreleasekeyring=/usr/share/keyrings/debian-archive-$release-stable.gpg

It'll require a bit more flexibility to stay backward compatible. :)

> OR install the gpg keys back to etc/apt/trusted.gpg.d/ folder or whatever you 
> see as a better fit ;).

The motivation behind moving the keys to /usr is that /etc is for sysops to
maintain configuration/variable parts. These keys are not to be touched,
so they should go to a place that is not to be touched by sysops.

I'll design a patch.

-- 
PEB

Attachment: signature.asc
Description: PGP signature

Reply via email to