reopen 558784 thanks ]] David Kalnischkies
| While i could agree with you on a (very high) metalevel that this could | be a valid configuration change, i have a few very simple practical | reasons why not: | | - first of all: /etc/apt/trusted.gpg is not a configuration file | [in dpkg sense] yes - it looks like one as it is in /etc - and it is in | some ways a configuration file, but not directly if you compare it to | "normal" configuration files like xorg.conf. Yes, it's a configuration file. If it's not, this is an FHS violation as only configuration files should be in /etc. Dpkg does not have a concept of configuration files, it has a concept of conffiles which are shipped in the package. The trusted.gpg file is not a conffile. That it is not a text file is irrelevant here. /etc/ssl/certs/ca-certificates.crt isn't a normal text file you sit down and configure either. As to whether it's a valid configuration change: why is it not? Why is adding more keys to the keyring valid if removing keys is not? Why does even apt-key provide a «remove» command if that's not a valid change of configuration? | - apt depends on debian-archive-keyring. So it explicitly says that it | requires the complete keyring to work correctly. A administrator who | removes parts of this keyring therefore doesn't make a valid configuration | change - he breaks the dependency apt has causing apt to do possibly | strange things (behavior of applications with broken dependencies is | undefined) - Including reimporting the keyring to fix it. | (A segfault would be also possible.) The dependency isn't broken, I have d-a-k installed on the system, apt and apt-key can access that keyring just fine, if not apt-key update would not work. If an application segfaults because of a missing key in a keyring, that's surely a bug in the package; this whole argument sounds like a strawman to me. | - A keyring is a keyring because the keys together form a ring of trust. | If you don't trust a key in the ring, you can't trust the keyring | (if this wouldn't be the case a keyring should be called "loosely coupled | group of keys"), so if you remove a key you effectively remove the keyring. | This is disallowed by the dependency (as said in the previous point). No. GPG has a trust database where I can tell it how much I trust the various keys. That does not have anything to do with whether they are in a single file or not. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
