:: Re: [DNG] updating postgresql and x…
Top Page
Delete this message
Reply to this message
Author: Tom
Date:  
To: Devuan ML
Subject: Re: [DNG] updating postgresql and x2go using apt


> On 26 Aug 2024, at 07:23, o1bigtenor via Dng <dng@???> wrote:
>
> I read through your response very very carefully - - - further comments/questions are interleaved!
>
> On Sat, Aug 24, 2024 at 7:26 PM Tom <wirelessduck@???> wrote:
>
>
>> On 24 Aug 2024, at 06:39, o1bigtenor via Dng <dng@???> wrote:
>>
>> 
>> Greetings
>>
>> Postgresql has an apt repository.
>> Except its only related to either Debian or Ubuntu.
>>
>> So If I include
>>
>> deb http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main
>>
>> in /etc/apt/sources.list
>>
>> I get on an #apt update
>>
>> E: The repository 'http://apt.postgresql.org/pub/repos/apt daedalus-pgdg Release' does not have a Release file.
>
> This error is suggesting that your sources.list configuration is still wrong.
>
> I always follow the documentation on apt.postgresql.org which in a web browser will redirect to Postgres wiki at https://wiki.postgresql.org/wiki/Apt
>
> Remove all your existing postgresql apt sources and follow the quickstart there. You need a slight modification to set the Debian codename for the setup script.
>
> This is part of what I use in my automation to install Postgres from the upstream repository:
>
> - - - - 8< - - - -
>
> # Use tzdata package to get the debian release codename
> debian_codename=$(dpkg --status tzdata | grep Provides | cut -f2 -d'-')
>
> postgresql_version="16"
>
> # Install postgresql-common
> apt install -y postgresql-common
>
> # Enable data checksums for new clusters:
> sed -i "s/#initdb_options = ''/initdb_options = '--data-checksums'/" /etc/postgresql-common/createcluster.conf
>
> # Configure postgresql repository
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y "${debian_codename}"
>
>
> This is where the problem resides - - - - note the "${debian_codename}" in both line 2 and 13 - - - I am working on a devuan
> (daedalus) system and this is one area where I haven't been able to get the system to use what is automagically correct.
> The Postgresql apt repository has NO mention of anything Devuan only Debian and Ubuntu.


Yeah I could have been a bit clearer on that point. The tzdata package metadata includes the line "Provides: tzdata-bookworm”. My automation script uses this data as a way for getting the Debian release name, because it’s not included in the normal /etc/os-release file. We need to specify the debian codename to the install script so it knows which upstream repository name to use, because by default it will attempt to read /etc/os-release to obtain the release name on a Debian system install. “${debian_codename}” in my script is just there to keep it automated across multiple devuan/debian releases so I don’t need to hardcode the matching debian release name for the current devuan release.


In your case you just need to do the following:

1. Install `postgresql-common` package from default devuan repositories. This package is coming unmodified from the Debian repositories and includes a shell script to allow easy setup of the upstream postgresql apt repository. The Debian package maintainer is the same person who maintains the upstream postgresql repository so we know that it will be compatible.

2. Run the included setup script as “sudo /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh bookworm”. If you were running it from a debian system you would leave out the “bookworm” at the end.

3. Install Postgres with “apt install postgresql-16” if you want the latest version 16.

The extra sed line I have before the setup script is optional and will modify the createcluster.conf script to enable data checksums when any postgresql cluster is created. See the docs at https://www.postgresql.org/docs/current/checksums.html if you want more info on that.

>
> # Install postgresql
> apt update
> apt install -y "postgresql-${postgresql_version}"
>
> - - - - 8< - - - -
>
>> So - - - - what do I do for a Debian to Devuan workaround?
>>
>> For x2go - - it seems to be a different kind of problem.
>> Following is the error message.
>>
>> W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://packages.x2go.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E1F958385BFE2B6E
>>
>> Sadly x2gos docs are rather outdated and I can't find a way to update what I have to what is needed.
>>
>> Is there some apt guru who would be able to advise?
>
> That error suggests you haven’t installed their repository gpg key correctly. Unfortunately their docs appear to be a bit outdated and suggest using apt-key which is either deprecated or no longer working.
>
> https://wiki.x2go.org/doku.php/wiki:repositories:debian
>
> sudo gpg --keyserver hkp://keyserver.ubuntu.com:80 --no-default-keyring --keyring /etc/apt/keyrings/x2go.gpg --recv-keys E1F958385BFE2B6E
>
> It should download the gpg key into /etc/apt/keyrings. I coped the gpg fingerprint from their docs but I’m not sure it’s in the correct format. Try and see if it works.
>
> Then update the first part of each line in the x2go.sources file to use the gpg key:
>
> deb [signed-by=/etc/apt/keyrings/x2go.gpg]
>
>
> The problem is that keyrings have been deprecated.
> Instead one is to use trusted.gpg.d which is different.
> I have not been able to find a way to add the whatevers to /etc/apt/trusted.gpg.d which is where things are supposed to be placed now.
> (Noticed that you are using keyserver.ubuntu - - - you did notice that I was doing this on a Devuan system - - - yes?)


Keyrings are not deprecated. The `apt-key` tool is what was deprecated, and that was just a convenience to allow easily adding multiple gpg keys into the one keyring for apt to use. The problem with that method is that any provided gpg key would then be available for trusting all of the configured apt sources on a system. The new current recommendation is to save each repository gpg key as a separate file and get each apt sources config to specify which individual key file it will use for trust purposes.

The reason why /etc/apt/trusted.gpg.d is not used is because key files in that location are also “trusted” by apt for any/all configured sources, so you would be unable to prevent one key from trusting the wrong repository.

Cloudflare blog has a good overview on why these changes were necessary: https://blog.cloudflare.com/dont-use-apt-key/

This is why we need to run `gpg` manually to download the key into a single file `/etc/apt/keyrings/x2go.gpg`. We can then tell the sources list entries to specify that key file as the trusted key for the x2go apt sources.

Looking at the x2go documentation page https://wiki.x2go.org/doku.php/wiki:repositories:debian, they provide an example sources.list file for release builds:

# X2Go Repository (release builds)
deb http://packages.x2go.org/debian bookworm extras main
# X2Go Repository (sources of release builds)
deb-src http://packages.x2go.org/debian bookworm extras main


You would change this to:

# X2Go Repository (release builds)
deb [signed-by=/etc/apt/keyrings/x2go.gpg] http://packages.x2go.org/debian bookworm extras main
# X2Go Repository (sources of release builds)
deb-src [signed-by=/etc/apt/keyrings/x2go.gpg] http://packages.x2go.org/debian bookworm extras main

And save it as /etc/apt/sources.list.d/x2go.list.


Then download the key file and export it to a .gpg file:

gpg --keyserver keyserver.ubuntu.com --recv-keys E1F958385BFE2B6E
gpg --export E1F958385BFE2B6E > /etc/apt/keyrings/x2go.gpg


I tested this in a Devuan Daedalus VM and this was the easiest way to get the key working. Download it into the default user keyring and then export it to the .gpg file. The url for keyserver.ubuntu.com has nothing specifically to do with Ubuntu here. We are just using their public PGP key server to download the key file. You could also replace that with pgp.mit.edu, keys.gnupg.net, or any other public PGP key server that has the key available.

One other minor point that may be confusing. The cloudflare blog says to save the gpg key file into `/usr/share/keyrings`. Debian documentation at https://wiki.debian.org/DebianRepository/UseThirdParty says `/usr/share/keyrings` should be reserved for package-provided key files and `/etc/apt/keyrings` for manually provided key files so we use that instead.

>
> So - - - I have not been able to solve my apt issues - - - please?
>
> TIA


Hope this is a bit clearer now.

Tom