Hello, Just a comment about backward compatibility bellow:
> On 13 Jun 2024, at 11:40, Pierre-Elliott Bécue <p...@debian.org> wrote: > > Control: severity -1 important > > Hi, > > Thanks for the report. > > Eppii <ep...@gandi.net> wrote on 13/06/2024 at 09:54:47+0200: > >> Package: lxc-templates >> Version: 3.0.4.48.g4765da8-1 >> >> ||/ Name Version Architecture Description >> +++-==============-===================-============-============================================ >> ii lxc-templates 3.0.4.48.g4765da8-1 amd64 Linux Containers >> userspace tools (templates) >> >> Hello ! >> >> Context: we want to create a lxc with the lxc-debian template on a bookworm >> server without any access to internet. >> >> We identified three issues preventing to achieve our goal and had to edit >> the /usr/share/lxc/templates/lxc-debian to succeed. >> >> Description: >> >> The download_debian() function states that it must verify signatures using >> /etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg >> but since bookworm, debian-archive-keyring install gpg files into the >> /usr/share/keyrings folder only. See >> https://packages.debian.org/bookworm/all/debian-archive-keyring/filelist >> versus bullseye version. >> >> Path >> lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg >> does not exist hence it always tries to download >> from http://ftp-master.debian.org. Which fails on a no internet access >> server. >> >> A workaround is to add the --keyring >> /usr/share/keyrings/debian-archive-$release-stable.gpg args to the command >> as followed: >> lxc-create -n test -t debian -- --mirror http://mymirror/debian >> --security-mirror http://mymirror/debian-security --release bookworm - >> -keyring /usr/share/keyrings/debian-archive-buster-stable.gpg > > You can also create a symlink as a workaround. > >> A solution would be to modify the line 436 from: >> - >> lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg >> + lreleasekeyring=/usr/share/keyrings/debian-archive-$release-stable.gpg > > It'll require a bit more flexibility to stay backward compatible. :) It seems that pub keys lives into /usr/share/keyrings/ from a long time now, and will stay this way in the future; see https://packages.debian.org/buster/all/debian-archive-keyring/filelist Shouldn’t it source from the beginning into the /usr path? > >> OR install the gpg keys back to etc/apt/trusted.gpg.d/ folder or whatever >> you see as a better fit ;). > > The motivation behind moving the keys to /usr is that /etc is for sysops to > maintain configuration/variable parts. These keys are not to be touched, > so they should go to a place that is not to be touched by sysops. > > I'll design a patch. > > -- > PEB
