[Git-commits] [grml/grml-debootstrap] ea978f: Fix Grml repository usage

Michael Prokop noreply at github.com
Fri Dec 3 13:09:20 CET 2021 

  Branch: refs/heads/master
  Home:   https://github.com/grml/grml-debootstrap
  Commit: ea978f623109baa1d686f90d200cb50fd2d3fdff
      https://github.com/grml/grml-debootstrap/commit/ea978f623109baa1d686f90d200cb50fd2d3fdff
  Author: Michael Prokop <mika at grml.org>
  Date:   2021-12-03 (Fri, 03 Dec 2021)

  Changed paths:
    M chroot-script

  Log Message:
  -----------
  Fix Grml repository usage

More recent versions of apt no longer accept unsigned repositories, and fail with:

| The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| Reading package lists... Done
| W: GPG error: http://deb.grml.org grml-stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| E: The repository 'http://deb.grml.org grml-stable InRelease' is not signed.
| N: Updating from such a repository can't be done securely, and is therefore disabled by default.
| N: See apt-secure(8) manpage for repository creation and user configuration details.

By enabling the Acquire::AllowInsecureRepositories=1 option, we can avoid this failure:

| W: GPG error: http://deb.grml.org grml-stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| W: The repository 'http://deb.grml.org grml-stable InRelease' is not signed.
| N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
| N: See apt-secure(8) manpage for repository creation and user configuration details.

While at it:

* simplify code
* don't check for "grml" inside /etc/apt/sources.list.d/grml.list,
  instead assume the file was set up as needed if it exists already
* improve apt pinning configuration:
  - no need to pin Grml *and* Debian repositories, instead let's
    set up only the Grml repository and reduce it to a pinning of 100
  - use /etc/apt/preferences.d/grml.pref instead of /etc/apt/preferences
* drop direct gpg usage, this is error prone (gpg keyservers known to be
  unavailable, we might not have gpg executable available, its code is
  fallback and untested,...)
* set up Grml's apt configuration with usage of
  "signed-by=/usr/share/keyrings/grml-archive-keyring.gpg"

Thanks: Karl Voit for the bug report
Closes: grml/grml-debootstrap#187

More information about the Git-commits mailing list