:: Re: [devuan-dev] [Heads up] Excalib…
Top Page
Delete this message
Reply to this message
Author: Olaf Meeuwissen
Date:  
To: devuan developers internal list
Subject: Re: [devuan-dev] [Heads up] Excalibur archive keyring missing?
Hi,

Mark Hindley <mark@???> writes:

> On Thu, Jun 29, 2023 at 08:30:19PM +0900, Olaf Meeuwissen wrote:
>> Hi all,
>>
>> I got a pile of "package such-and-such migrated to excalibur" in my
>> mailbox today. Yeay! So I had a go on building a container image for
>> it, per
>
> PLease don't. I was just starting to set it up. It isn't ready and won't work
> (yet). I expect to have it finished over the weekend.


Ok, I'll wait a bit then. I was just seeing what, if anything, needed
changes in the scripts I use to build the images.

>> [...]
>> My migration script grabs the devuan-archive-keyring from
>>
>>    https://files.devuan.org/devuan-archive-keyring.gpg

>>
>> and that has been working fine for all maintained releases so far.
>> It looks that file needs to be updated to include a new key (or a
>> key on that keyring should be used to sign the InRelease file).
>
> You need the daedalus version (2023.05.28) of devuan-keyring which
> includes the correct key.


During migration, I need the key(s) used to sign the Devuan archives
while still on Debian. And I like to do so in a slightly more secure
way than installing a devuan-keyring package by telling apt-get to
--allow-insecure-repositories *and* --allow-unauthenticated.

# Seeing the use of these options suggested in the migration guide[1]
# made my toes curl ...
#
# [1]: https://www.devuan.org/os/documentation/install-guides/chimaera/bullseye-to-chimaera

That's why I use

  curl --silent --location --show-error \
       --output /etc/apt/trusted.gpg.d/devuan-archive-keyring.gpg \
       https://files.devuan.org/devuan-archive-keyring.gpg


before switching over the APT sources from Debian to Devuan.

# Pun intended ;-)

Having a single, stable URL to get the keys is extremely convenient for
this when you are migrating *all* maintained releases whenever there is
a change in package versions and/or dependencies ;-)

So if the new key(s) can be added that would be much appreciated.

That reminds me, I should add checksumming of that file so attempts to
fiddle with it do not go unnoticed.

Hmm, I just looked at the two migration scripts that migration guide
links to and noticed that both use wget to grab the devuan-keyring
package and dpkg to install it. That might be an alternative but I'd
need to use different versions of the package for different releases.
As per pkginfo[2], 2022.09.04 for beowulf and chimaera and 2023.05.28
for daedalus and ceres (and the upcoming excalibur).

[2]: https://pkginfo.devuan.org/cgi-bin/policy-query.html?c=package&q=devuan-keyring&x=submit

>> # I know the suite name says `future-do-not-use` (as of writing). Am
>> # I jumping the gun and should I wait a day, or more?
>
> Yes
>
> Thanks for your enthusiasm though!


:-)
--
Olaf Meeuwissen