deb.sury.org icon indicating copy to clipboard operation
deb.sury.org copied to clipboard

Published 20 hours ago verified publisher icon oerdnj

Downgrade keyring dependency to recommendation

Open AgentOak opened this issue 6 months ago • 0 comments

Frequently asked questions

Is your feature request related to a problem? Please describe. To install any PHP package from the repository the package debsuryorg-archive-keyring must be installed as well because it is a hard dependency of php-common. This package does not only put the sury keys into /usr/share/keyrings but also installs a key into the implicit trust store /etc/apt/trusted.gpg.d. I understand this was done to trick old installations into using a new key without manual intervention (or approval for that matter...)

Describe the solution you'd like I would like to remove the keyring package as I prefer to have a clean /etc/apt/trusted.gpg.d and am able to do key management myself. Since php-common does not actually need debsuryorg-archive-keyring to function its metadata should be updated to remove the fake dependency. A Recommends should be sufficient to prevent autoremove from removing the package even if it was automatically installed, but still allows manual removal.

Describe alternatives you've considered

  • Just dropping the dependency altogether might break old installations again because debsuryorg-archive-keyring is merely automatically installed and could be removed by autoremove at some point.

  • Likewise removing the /etc/apt/trusted.gpg.d file from the keyring package will break old installations that lack the [signed-by=/usr/share/keyrings/...] tag in their sources.list.

    • However this could be made to work by adding a postinst script to the keyring package that scans the apt sources for the sury repository and only if it lacks the signed-by tag copies one of the files from /usr/share/keyrings to /etc/apt/trusted.gpg.d. Probably too unreliable

  • A different solution would be to mark the debsury-archive-keyring package as manually installed in some postinst script and then drop the dependency altogether. New installations will already have this package manually installed as per the README.txt installation instructions.

  • A workaround for end users is to create a fake/empty package with equivs that provides debsury-archive-keyring solely to fulfill the dependency of php-common. Then the real debsury-archive-keyring package can be uninstalled. This is an ugly workaround since it will leave a package lacking a repository source in your system, which APT frontends consider an obsolete package.

Distribution (please complete the following information):

  • OS: Debian
  • Architecture: -
  • Repository: packages.sury.org

Package(s) (please complete the following information):

php-common:
  Installed: 2:94+0~20240205.51+debian12~1.gbp6faa2e
  Candidate: 2:94+0~20240205.51+debian12~1.gbp6faa2e
  Version table:
 *** 2:94+0~20240205.51+debian12~1.gbp6faa2e 500
        500 https://packages.sury.org/php bookworm/main amd64 Packages
        100 /var/lib/dpkg/status
     2:93 500
        500 https://deb.debian.org/debian bookworm/main amd64 Packages

Additional context -

AgentOak avatar Aug 21 '24 04:08 AgentOak