Hello all,

On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta <utkarsh@debian.org> wrote:

The missing key creates problems for example with simple-cdd: https://bugs.debian.org/992966

Okay, I'll be happy to do the update. Though I wonder if it'd rather
be helpful in just doing a rebuild of buster to stretch instead of backporting the changes each time?

Slight ping on this. I'm inclined towards rebuilding the same package
for stretch. Does anybody have an opinion or opposition on this? :)

I intend to do this in the next couple of days, so let me know what
you think.


- u

<div dir="ltr">Hello all,<br><br>On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta &lt;<a href="mailto:utkarsh@debian.org" target="_blank">utkarsh@debian.org</a>&gt; wrote:<br>&gt; &gt; The missing key creates problems for example with simple-cdd:<br>&gt; &
gt; <a href="https://bugs.debian.org/992966" target="_blank">https://bugs.debian.org/992966</a><br>&gt;<br>&gt; Okay, I&#39;ll be happy to do the update. Though I wonder if it&#39;d rather<br>&gt; be helpful in just doing a rebuild of buster to stretch
instead of<br>&gt; backporting the changes each time?<br><br><div>Slight ping on this. I&#39;m inclined towards rebuilding the same package</div><div>for stretch. Does anybody have an opinion or opposition on this? :)</div><div><br></div><div>I intend to
do this in the next couple of days, so let me know what</div><div>you think.</div><div><br></div><div><br></div><div>- u</div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Utkarsh,

On Tue, 14 Sep 2021, Utkarsh Gupta wrote:

On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta <utkarsh@debian.org> wrote:

The missing key creates problems for example with simple-cdd: https://bugs.debian.org/992966

Okay, I'll be happy to do the update. Though I wonder if it'd rather
be helpful in just doing a rebuild of buster to stretch instead of backporting the changes each time?

Slight ping on this. I'm inclined towards rebuilding the same package
for stretch. Does anybody have an opinion or opposition on this? :)

I intend to do this in the next couple of days, so let me know what
you think.

Did you look at the differences to make up your mind before asking the question?

I know that manually playing with jetring is not really fun but there are
a number of differences that make it likely that backporting the change
is probably safer (dependency removal, separate keyrings) to not introduce unexpected changes.

Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hertzog@debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Jonathan,

On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog <hertzog@debian.org> wrote:

it would be nice if we could get an update of debian-archive-keyring
in stretch to add the bullseye key just like it has been done in buster a while ago:

https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/

Whilst prepping an update for stretch, I cherry-picked the following
commits from the salsa repository w cross-checking the update
as proposed via #985371:

464dc87f2dc7d5ef84150a1fe5b326ba9bb5174e -> Add automatic
signing keys for bullseye.

379aebbdf44d2fa9bde4eb5904c9e860cd13eb28 -> Add Debian
Stable Release Key (11/bullseye).

74d1b0366c01b1b4653b5eba24f751655c25bb96 -> Refresh
signatures over keyrings/debian-archive-keyring.gpg (and not keyrings/debian-archive-removed-keys.gpg since I'm not
removing any keys in this update).

With these 3 commits, I tried to build the package and it failed
with the following error: 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
gpg --no-options --no-default-keyring --no-auto-check-trustdb
--trustdb-name ./trustdb.gpg \
--keyring keyrings/team-members.gpg \
--verify active-keys/index.gpg active-keys/index
gpg: Signature made Wed Feb 24 20:38:18 2021 UTC
gpg: using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9
gpg: ./trustdb.gpg: trustdb created
gpg: BAD signature from "Jonathan Wiltshire <jmw@debian.org>" [expired] Makefile:9: recipe for target 'verify-indices' failed 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<

I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,
that is, updating your key. But it still failed with the same
error. I am not sure what's up? Do you have an idea what's
happening? TIA!


- u

<div dir="ltr">Hi Jonathan,<br><br>On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog &lt;<a href="mailto:hertzog@debian.org">hertzog@debian.org</a>&gt; wrote:<br>&gt; it would be nice if we could get an update of debian-archive-keyring<br>&gt; in stretch
to add the bullseye key just like it has been done in buster a<br>&gt; while ago:<br>&gt; <a href="https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/">https://
tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/</a><br><br><div>Whilst prepping an update for stretch, I cherry-picked the following</div><div>commits from the
salsa repository w cross-checking the update</div><div>as proposed via #985371:</div><div><br></div><div>464dc87f2dc7d5ef84150a1fe5b326ba9bb5174e -&gt; Add automatic</div><div>signing keys for bullseye.<br></div><div><br></div><div>
379aebbdf44d2fa9bde4eb5904c9e860cd13eb28 -&gt; Add Debian<br></div><div>Stable Release Key (11/bullseye).</div><div><br></div><div>74d1b0366c01b1b4653b5eba24f751655c25bb96 -&gt; Refresh<br></div><div>signatures over keyrings/debian-archive-keyring.gpg (
and not</div><div>keyrings/debian-archive-removed-keys.gpg since I&#39;m not<br></div><div>removing any keys in this update).</div><div><br></div><div>With these 3 commits, I tried to build the package and it failed</div><div>with the following error:</

<div>8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;</div><div>gpg --no-options --no-default-keyring --no-auto-check-trustdb --trustdb-name ./trustdb.gpg \<br> --keyring keyrings/team-members.gpg \

<br> --verify active-keys/index.gpg active-keys/index<br>gpg: Signature made Wed Feb 24 20:38:18 2021 UTC<br>gpg:                using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9<br>gpg: ./trustdb.gpg: trustdb created<br>gpg: BAD signature
from &quot;Jonathan Wiltshire &lt;<a href="mailto:jmw@debian.org">jmw@debian.org</a>&gt;&quot; [expired]<br>Makefile:9: recipe for target &#39;verify-indices&#39; failed<br></div><div><div>8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&
lt;---8&lt;---8&lt;---8&lt;---8&lt;</div><br class="gmail-Apple-interchange-newline"></div><div>I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,</div><div>that is, updating your key. But it still failed with the same</div><div>error.
I am not sure what&#39;s up? Do you have an idea what&#39;s</div><div>happening? TIA!</div><div><br></div><div><br></div><div>- u</div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Oct 2, 2021 at 9:35 PM Utkarsh Gupta <utkarsh@debian.org> wrote:

With these 3 commits, I tried to build the package and it failed
with the following error: 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
gpg --no-options --no-default-keyring --no-auto-check-trustdb

--trustdb-name ./trustdb.gpg \

--keyring keyrings/team-members.gpg \
--verify active-keys/index.gpg active-keys/index
gpg: Signature made Wed Feb 24 20:38:18 2021 UTC
gpg: using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9 gpg: ./trustdb.gpg: trustdb created
gpg: BAD signature from "Jonathan Wiltshire <jmw@debian.org>" [expired] Makefile:9: recipe for target 'verify-indices' failed 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<

I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,
that is, updating your key. But it still failed with the same
error. I am not sure what's up? Do you have an idea what's
happening? TIA!

I've pushed the changes to my namespace so that it's easy to see
what I am doing. The repository/commits could be found here: https://salsa.debian.org/utkarsh/debian-archive-keyring/-/commits/master

Please let me know what I am missing. Thank you!


- u

<div dir="ltr">On Sat, Oct 2, 2021 at 9:35 PM Utkarsh Gupta &lt;<a href="mailto:utkarsh@debian.org">utkarsh@debian.org</a>&gt; wrote:<br>&gt; With these 3 commits, I tried to build the package and it failed<br>&gt; with the following error:<br>&gt; 8&lt;-
--8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;<br>&gt; gpg --no-options --no-default-keyring --no-auto-check-trustdb --trustdb-name ./trustdb.gpg \<br>&gt; --keyring keyrings/team-members.gpg \<br>&gt; --
verify active-keys/index.gpg active-keys/index<br>&gt; gpg: Signature made Wed Feb 24 20:38:18 2021 UTC<br>&gt; gpg:                using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9<br>&gt; gpg: ./trustdb.gpg: trustdb created<br>&gt; gpg:
BAD signature from &quot;Jonathan Wiltshire &lt;<a href="mailto:jmw@debian.org">jmw@debian.org</a>&gt;&quot; [expired]<br>&gt; Makefile:9: recipe for target &#39;verify-indices&#39; failed<br>&gt; 8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&
lt;---8&lt;---8&lt;---8&lt;---8&lt;---8&lt;<br>&gt;<br>&gt; I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,<br>&gt; that is, updating your key. But it still failed with the same<br>&gt; error. I am not sure what&#39;s up? Do you have
an idea what&#39;s<br>&gt; happening? TIA!<br><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote></div><div>I&#39;ve pushed the changes to my namespace so that it&#39;s easy to see</div><div>what I am doing. The repository/commits could be found here:</div><div><a href="https://salsa.debian.org/utkarsh/debian-archive-keyring/-/commits/
master">https://salsa.debian.org/utkarsh/debian-archive-keyring/-/commits/master</a></div><div><br></div><div>Please let me know what I am missing. Thank you!</div><div><br></div><div><br></div><div>- u</div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Sat, Oct 02, 2021 at 09:35:56PM +0530, Utkarsh Gupta wrote:

Hi Jonathan,

On Wed, Aug 25, 2021 at 11:27 PM Raphael Hertzog <hertzog@debian.org> wrote:

it would be nice if we could get an update of debian-archive-keyring
in stretch to add the bullseye key just like it has been done in buster a while ago:

https://tracker.debian.org/news/1236764/accepted-debian-archive-keyring-20191deb10u1-source-all-into-proposed-updates-stable-new-proposed-updates/

I do wonder to what end - for building things more easily on stretch
perhaps? From the RT point of view, you only need to ensure smooth upgrades
to the next release, we don't support skipping.

Anyway...

Whilst prepping an update for stretch, I cherry-picked the following
commits from the salsa repository w cross-checking the update
as proposed via #985371:

464dc87f2dc7d5ef84150a1fe5b326ba9bb5174e -> Add automatic
signing keys for bullseye.

379aebbdf44d2fa9bde4eb5904c9e860cd13eb28 -> Add Debian
Stable Release Key (11/bullseye).

74d1b0366c01b1b4653b5eba24f751655c25bb96 -> Refresh
signatures over keyrings/debian-archive-keyring.gpg (and not keyrings/debian-archive-removed-keys.gpg since I'm not
removing any keys in this update).

With these 3 commits, I tried to build the package and it failed
with the following error: 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<
gpg --no-options --no-default-keyring --no-auto-check-trustdb
--trustdb-name ./trustdb.gpg \
--keyring keyrings/team-members.gpg \
--verify active-keys/index.gpg active-keys/index
gpg: Signature made Wed Feb 24 20:38:18 2021 UTC
gpg: using RSA key 0032DDC8B18C9DE1989FC76D44D32AB5FA26F8C9 gpg: ./trustdb.gpg: trustdb created
gpg: BAD signature from "Jonathan Wiltshire <jmw@debian.org>" [expired] Makefile:9: recipe for target 'verify-indices' failed 8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<

I then also cherry-picked 0b6a54a5302793954af9659a399e76169281b98b,
that is, updating your key. But it still failed with the same
error. I am not sure what's up? Do you have an idea what's
happening? TIA!

You will need (but may not want) the commit removing jessie's keys as well. Basically all intermediate commits which touch keyrings - a removal is
really a move from the main keyring to the archive keyring, so it will
change the makeup of the keyring and fail the validation.

If you actually need the jessie keys kept, as I suspect you do, I can
prepare a stretch branch with new signatures on it in a few days.

I intend to simplify the whole thing significantly in bookworm; this whole jetring and gpg validation thing makes for a lot of maintenance pain.

--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Jonathan,

On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire <jmw@debian.org> wrote:

You will need (but may not want) the commit removing jessie's keys as

well.

Basically all intermediate commits which touch keyrings - a removal is
really a move from the main keyring to the archive keyring, so it will
change the makeup of the keyring and fail the validation.

If you actually need the jessie keys kept, as I suspect you do, I can
prepare a stretch branch with new signatures on it in a few days.

That'd be really helpful, yes. Though I am still unsure what am I missing.
When you prep a branch for stretch, please let me know and as I said,
that'd be really helpful. Thank you so much!

I intend to simplify the whole thing significantly in bookworm; this whole jetring and gpg validation thing makes for a lot of maintenance pain.

Perfect, that'll indeed help a lot. :)


- u

<div dir="ltr">Hi Jonathan,<br><br>On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire &lt;<a href="mailto:jmw@debian.org">jmw@debian.org</a>&gt; wrote:<br><div>&gt; You will need (but may not want) the commit removing jessie&#39;s keys as well.<br>&gt;
Basically all intermediate commits which touch keyrings - a removal is<br>&gt; really a move from the main keyring to the archive keyring, so it will<br>&gt; change the makeup of the keyring and fail the validation.<br>&gt;<br>&gt; If you actually need
the jessie keys kept, as I suspect you do, I can<br>&gt; prepare a stretch branch with new signatures on it in a few days.</div><div><br></div><div>That&#39;d be really helpful, yes. Though I am still unsure what am I missing.</div><div>When you prep a
branch for stretch, please let me know and as I said,</div><div>that&#39;d be really helpful. Thank you so much!</div><div><br>&gt; I intend to simplify the whole thing significantly in bookworm; this whole<br>&gt; jetring and gpg validation thing makes
for a lot of maintenance pain.<br><br></div><div>Perfect, that&#39;ll indeed help a lot. :)</div><div><br></div><div><br></div><div>- u</div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I have followed the steps described in README.maintainer,
added my key to the team for stretch and imported keys.

It looks like everything works.Testing it.

Regards

Anton

Am Fr., 11. März 2022 um 14:28 Uhr schrieb Utkarsh Gupta <guptautkarsh2102@gmail.com>:

Hi Jonathan,

On Mon, Oct 11, 2021 at 6:24 AM Utkarsh Gupta <utkarsh@debian.org> wrote:

On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire <jmw@debian.org> wrote:

You will need (but may not want) the commit removing jessie's keys as well.
Basically all intermediate commits which touch keyrings - a removal is really a move from the main keyring to the archive keyring, so it will change the makeup of the keyring and fail the validation.

If you actually need the jessie keys kept, as I suspect you do, I can prepare a stretch branch with new signatures on it in a few days.

That'd be really helpful, yes. Though I am still unsure what am I missing. When you prep a branch for stretch, please let me know and as I said, that'd be really helpful. Thank you so much!

Friendly ping on this. Any status update on this, please? :)
Do you think you can take a look at this sooner? Let me/us know.

I intend to simplify the whole thing significantly in bookworm; this whole
jetring and gpg validation thing makes for a lot of maintenance pain.

Perfect, that'll indeed help a lot. :)

- u

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Jonathan,

On Mon, Oct 11, 2021 at 6:24 AM Utkarsh Gupta <utkarsh@debian.org> wrote:

On Tue, Oct 5, 2021 at 1:26 PM Jonathan Wiltshire <jmw@debian.org> wrote:

You will need (but may not want) the commit removing jessie's keys as well. Basically all intermediate commits which touch keyrings - a removal is really a move from the main keyring to the archive keyring, so it will change the makeup of the keyring and fail the validation.

If you actually need the jessie keys kept, as I suspect you do, I can prepare a stretch branch with new signatures on it in a few days.

That'd be really helpful, yes. Though I am still unsure what am I missing. When you prep a branch for stretch, please let me know and as I said,
that'd be really helpful. Thank you so much!

Friendly ping on this. Any status update on this, please? :)
Do you think you can take a look at this sooner? Let me/us know.

I intend to simplify the whole thing significantly in bookworm; this whole jetring and gpg validation thing makes for a lot of maintenance pain.

Perfect, that'll indeed help a lot. :)

- u

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)