Re: debian-archive-keyring installing ubuntu keys?

Wed, 26 Mar 2014 02:04:28 -0700 

On 2014-03-26 8:39, Daniel Pocock wrote:

I have a project that is building in the travis-ci.org environment
(based on Ubuntu)

[...]

Unpacking debian-archive-keyring (from
.../debian-archive-keyring_2010.08.28_all.deb) ...
Setting up debian-archive-keyring (2010.08.28) ...


That package is older than the version in squeeze (i.e. oldstable).


However, even fetching the package from Ubuntu trivially shows that it 
does not contain any non-Debian keys:



$ wget 
http://mirrors.kernel.org/ubuntu/pool/universe/d/debian-archive-keyring/debian-archive-keyring_2010.08.28_all.deb

$ mkdir debtmp
$ dpkg-deb -x debian-archive-keyring_2010.08.28_all.deb debtmp

$ gpg --no-default-keyring --keyring 
debtmp/usr/share/keyrings/debian-archive-keyring.gpg --list-keys


debtmp/usr/share/keyrings/debian-archive-keyring.gpg
----------------------------------------------------
pub   1024D/F42584E6 2008-04-06 [expired: 2012-05-15]

uid                  Lenny Stable Release Key 
<debian-rele...@lists.debian.org>


pub   4096R/55BE302B 2009-01-27 [expired: 2012-12-31]

uid                  Debian Archive Automatic Signing Key (5.0/lenny) 
<ftpmas...@debian.org>


pub   2048R/6D849617 2009-01-24 [expired: 2013-01-23]

uid                  Debian-Volatile Archive Automatic Signing Key 
(5.0/lenny)


pub   4096R/B98321F9 2010-08-07 [expires: 2017-08-05]

uid                  Squeeze Stable Release Key 
<debian-rele...@lists.debian.org>


pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]

uid                  Debian Archive Automatic Signing Key (6.0/squeeze) 
<ftpmas...@debian.org>


$


<ftpmas...@ubuntu.com>" not changed
gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key
<cdim...@ubuntu.com>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2



This suggests that you've got ubuntu-keyring installed in the 
environment.



You'll notice that the messages all say "not changed". There are no new 
keys being added at this point. What's happening is this:


if which apt-key > /dev/null; then
    apt-key update
fi

[from debian-archive-keyring's postinst]

[...]

Is this simply because I'm trying to use packages from sid?  Or is this
"debian-archive-keyring" package at fault?



As far as I can tell, neither of these is the case. If you don't want 
your environment to contain Ubuntu keys, don't install ubuntu-keyring in 
it.



I can't see how to easily tell from your setup exactly what's installed 
in the environment before your job started, or I'd supply a link.



My understanding is that
because the package has debian in the name, it will give me Debian
project keys.


It does.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/fb6af1ae9f456894d43ea389b01ab...@mail.adsl.funky-badger.org























					Reply via email to