Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #891
devuan-keyring: New signing key needed?

version graph

Package: devuan-keyring; Maintainer for devuan-keyring is Devuan Developers <devuan-dev@lists.dyne.org>; Source for devuan-keyring is src:devuan-keyring.

Reported by: Martin <Martin@lichtvoll.de>

Date: Mon, 26 May 2025 15:18:01 UTC

Severity: normal

Found in version devuan-keyring/2023.10.07

Done: Mark Hindley <mark@hindley.org.uk>

Full log

Message #13 received at 891@bugs.devuan.org (full text, mbox, reply):

Received: (at 891) by bugs.devuan.org; 2 Jun 2025 19:04:32 +0000
Return-Path: <sawbona@xsmail.com>
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Mon, 02 Jun 2025 19:04:32 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id LS6LHo71PWgzXAAAmSBk0A
	(envelope-from <sawbona@xsmail.com>)
	for <bugs@devuan.org>; Mon, 02 Jun 2025 19:03:42 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id 621E999; Mon,  2 Jun 2025 19:03:42 +0000 (UTC)
Authentication-Results: email.devuan.org;
	dkim=pass (2048-bit key; unprotected) header.d=xsmail.com header.i=@xsmail.com header.a=rsa-sha256 header.s=fm3 header.b=aue5Fth8;
	dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm1 header.b=q/1QgtJc;
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
	version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=103.168.172.145; helo=fout-a2-smtp.messagingengine.com; envelope-from=sawbona@xsmail.com; receiver=<UNKNOWN> 
Received: from fout-a2-smtp.messagingengine.com (fout-a2-smtp.messagingengine.com [103.168.172.145])
	by email.devuan.org (Postfix) with ESMTPS id B6FEA41
	for <891@bugs.devuan.org>; Mon,  2 Jun 2025 19:03:39 +0000 (UTC)
Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45])
	by mailfout.phl.internal (Postfix) with ESMTP id EA63A1380349;
	Mon,  2 Jun 2025 15:03:37 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-05.internal (MEProxy); Mon, 02 Jun 2025 15:03:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xsmail.com; h=cc
	:content-description:content-transfer-encoding:content-type
	:content-type:date:date:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to; s=fm3; t=1748891017; x=1748977417; bh=lVFiXnSe4ZX378dQskDh2
	BGHD2YTvwirdMepKRqVmdA=; b=aue5Fth8LwZUQuQIvFLx1C+LlX8Axo3Uko+dC
	tekkjoPcxYhQL/4bwN1rnPxBMJlxwcKvaKWAovziirJy2Fqp+6yeWaWWsiRLUbxn
	vOcvafIAPOyyAqmsMSf84zqWpT7L47sOEsoAgRD5IITjO51RiIxiGrWH/nLHzMD+
	T70nK6PaKodhRFPVm08fyhYtFhaJ8ItuPgnOB2eajsrMwXGXzQB09HzEAHKsRfgf
	dkvgVbHJCmQZxqyx291I+/kXd5BL2n6D25goh14tqHfBRSOOfCjId1fAdJn0B2Tq
	CuhPGSLOpecYA582uuDXQkysN01hELL64lHNtO80goFk2FdJQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-description
	:content-transfer-encoding:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:subject:subject:to
	:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=
	1748891017; x=1748977417; bh=lVFiXnSe4ZX378dQskDh2BGHD2YTvwirdMe
	pKRqVmdA=; b=q/1QgtJcz+u1dY3PEk/Gh3TPXVtQ17obwuiqmkFaazvOuNTZf2W
	T5BhhsDvYbFwWEW0sy8NAwuZWe/W9K9W5Mw7c3LmgJQ+GqquBC1vNpFhmDt4gBlE
	ShlNIilagsdhHTDwjhQ4/qt8nnMHCXM/TLEhQtx27QTNoE/faanZg7fQIKICto6H
	/5Ocm9rVNThknQ+WPbcMemLRhnrAJ5HJUwhE0nPtn+G3Sj1JBsTE5j++YyOt30Gp
	zKvKjQT1dYybUAFcNyQ/XNqJHbWN3H/z8BvpKgrpLuvE3Zk7ZbwYEvX5nK0nOesT
	kJDXnnVbib1IXJ2X8zBDdAMeam4WIhsKySw==
X-ME-Sender: <xms:h_U9aH6EpWWCdRZvgDyBYbeASCWc0rdInNk8O3sO8E-JwGBlFOdl9g>
    <xme:h_U9aM65oKy59m3GSsPN2iNuDWWxszEB9LdG7SxLv-MHyH7W8-vufr3SaRGfjPerq
    TBI6PZZO6OH1IbwbA>
X-ME-Received: <xmr:h_U9aOeIpsypPK5U8PP1e7CPiwa3GI2ZGOTmFkc7nb5LCDjPFNl23FF6jzSb_lyl>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddtgdefkeegieculddtuddrgeefvddrtd
    dtmdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggft
    fghnshhusghstghrihgsvgdpuffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftd
    dtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfffggfukfgj
    fhfotgfgsehtufertdfftddvnecuhfhrohhmpehsrgifsghonhgrseigshhmrghilhdrtg
    homhenucggtffrrghtthgvrhhnpedvvdduleduhfefhfffkeffudfgkeelteduuddttdfg
    ieffuddvieeifefffeegleenucffohhmrghinhepshhlvggvphgvrhdrshhhnecuvehluh
    hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshgrfigsohhnrges
    gihsmhgrihhlrdgtohhmpdhnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuth
    dprhgtphhtthhopehmrghrkheshhhinhgulhgvhidrohhrghdruhhkpdhrtghpthhtohep
    keeludessghughhsrdguvghvuhgrnhdrohhrghdprhgtphhtthhopeguvghvuhgrnhdqug
    gvvheslhhishhtshdrugihnhgvrdhorhhg
X-ME-Proxy: <xmx:h_U9aIJAv43xueNvudj5CAVHI8Qb2FlHHpO4q6_9BEqUE9YGv3nuxg>
    <xmx:h_U9aLIHf554MBXlYXQ6Ib4AMPRYblRgdPxyGvWYhk19gOpc2je5Rw>
    <xmx:h_U9aBzP_pGSZLcik__NyEBoUUqS6dzxy-EfQfCOU5XkVn8B4xALLw>
    <xmx:h_U9aHLo_r97ai5dt45NUTBDRFvXqAzSQG_CpBB6ZYquMed1G9KL-g>
    <xmx:ifU9aKVqXIBs8zwd8zfr8HP3xwUn4C6OGWXunJtjeWPb8bWgHLZd0GyK>
Feedback-ID: ife904084:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 2 Jun 2025 15:03:34 -0400 (EDT)
From: sawbona@xsmail.com
To: Mark Hindley <mark@hindley.org.uk>,
              891@bugs.devuan.org,
              devuan developers internal list <devuan-dev@lists.dyne.org>,
              "devuan-dev" <devuan-dev@lists.dyne.org>
Date: Mon, 02 Jun 2025 16:03:32 -0300
MIME-Version: 1.0
Subject: Re: [devuan-dev] bug#891: devuan-keyring: New signing key needed?
Message-ID: <683DF584.3035.47930B@sawbona.xsmail.com>
Priority: normal
In-reply-to: <aD3LbBatRfW-nivX@hindley.org.uk>
References: <12678847.O9o76ZdvQC@lichtvoll.de>, <aD3LbBatRfW-nivX@hindley.org.uk>
X-mailer: Pegasus Mail for Windows (4.73.639)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body

Hello:

On 2 Jun 2025 at 17:03, Mark Hindley wrote:

> ... end up in a chicken and egg cycle with the new key being used
> but apt refusing to update the devuan-keyring package because it
> can't verify the key.
> 
> ... good idea how to resolve that?

Just thinking out loud, not to be taken *too* seriously.

I live in a building with 10 stories and 66 flats.
When someone loses their keys to the front door, the lock is changed 
asap and 66 new keys are made and distributed.

When someone without a new key wants to get into the building, they 
are met with a sign saying that they should contact the building's 
admin and ask for their key. 

In a loosely analogous manner, a *sleeper* devuan-keyring metapackage 
could be used.

I would be pushed out to everyone updating and once installed it 
would lie waiting to detect when / if the user wanting to update / 
upgrade or install anything is unable to do so because of the old 
key.

At that point, it would inform them of the situation and instruct 
them to extract [c]sleeper.sh[/c] from the metapackage.

[c]sleeper.sh[/c] would unpackage, install the new key and ask the 
user to try their update / upgrade again.

If the update / upgrade or installation went ahead as expected, the 
*sleeper* devuan-keyring metapackage would then rm itself.

Just an idea.
I am aware that this may potentially have some security issues.

Best,

A.

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Wed Nov 19 00:50:46 2025;