should postgresql-common depend on ca-certificates?

public inbox for [email protected]  
help / color / mirror / Atom feed

should postgresql-common depend on ca-certificates?
3+ messages / 3 participants
[nested] [flat]

* should postgresql-common depend on ca-certificates?
@ 2025-10-05 13:33  Peter Eisentraut <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Peter Eisentraut @ 2025-10-05 13:33 UTC (permalink / raw)
  To: PostgreSQL on Debian and Ubuntu <[email protected]>

If I follow the Quickstart at 
https://wiki.postgresql.org/wiki/Apt#Quickstart but use 
--no-install-recommends, things don't quite work.  (I realize I'm going 
off the well-trodden path, but this is useful for CI setups to avoid 
installing packages you don't strictly need.)  For example, on Ubuntu 24.04:

apt-get update
apt-get -y --no-install-recommends install gnupg postgresql-common
/usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y

Then you get warnings like this:

   Certificate verification failed: The certificate is NOT trusted. The 
certificate issuer is unknown.  Could not handshake: Error in the 
certificate verification. [IP: 151.101.3.52 443]
W: https://apt.postgresql.org/pub/repos/apt/dists/noble-pgdg/InRelease: 
No system certificates available. Try installing ca-certificates.

When you install ca-certificates, then the whole thing works. 
Apparently, there is a "recommends" dependency somewhere down the chain, 
but postgresql-common itself doesn't mention it.

I don't know what the right solution is, but maybe a combination of

1) postgresql-common at least "suggests" ca-certificates.
2) apt.postgresql.org.sh should do more checking that the setup it 
creates actually works.
3) The wiki page quickstart makes more explicit mention of 
ca-certificates.  (It is mentioned for the manual setup.)

^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: should postgresql-common depend on ca-certificates?
@ 2025-10-09 15:12  Christoph Berg <[email protected]>
  parent: Peter Eisentraut <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Christoph Berg @ 2025-10-09 15:12 UTC (permalink / raw)
  To: Peter Eisentraut <[email protected]>; +Cc: PostgreSQL on Debian and Ubuntu <[email protected]>

Re: Peter Eisentraut
>   Certificate verification failed: The certificate is NOT trusted. The
> certificate issuer is unknown.  Could not handshake: Error in the
> certificate verification. [IP: 151.101.3.52 443]
> W: https://apt.postgresql.org/pub/repos/apt/dists/noble-pgdg/InRelease: No
> system certificates available. Try installing ca-certificates.

Good point, thanks for bringing this up.

> I don't know what the right solution is, but maybe a combination of
> 
> 1) postgresql-common at least "suggests" ca-certificates.

In my view, the apt.postgresql.org.sh script is just a side-feature of
that package, so adding a ca-certificates dependency would be wrong.
And recommends/suggests don't really solve the problem.

> 2) apt.postgresql.org.sh should do more checking that the setup it creates
> actually works.

Maybe. Otoh people (or CI setups) might run the script, and do the
package installation later. I'd also wouldn't quite know what to check
there, except for running `apt update` which it is already doing.

> 3) The wiki page quickstart makes more explicit mention of ca-certificates.
> (It is mentioned for the manual setup.)

I added "ca-certificates" to the TL;DR recipe. That makes it less
crisp, but now it's guaranteed to work.

Christoph

^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: should postgresql-common depend on ca-certificates?
@ 2025-10-10 08:27  Christophe Courtois <[email protected]>
  parent: Christoph Berg <[email protected]>
  0 siblings, 0 replies; 3+ messages in thread

From: Christophe Courtois @ 2025-10-10 08:27 UTC (permalink / raw)
  To: PostgreSQL on Debian and Ubuntu <[email protected]>

Le 09/10/2025 à 17:12, Christoph Berg a écrit :
(✂️✂️✂️)

>> 3) The wiki page quickstart makes more explicit mention of ca-certificates.
>> (It is mentioned for the manual setup.)
> I added "ca-certificates" to the TL;DR recipe. That makes it less
> crisp, but now it's guaranteed to work.

BTW: I recently discovered that the PGDG repository can be installed 
with "extrepo enable postgresql"  (same URL, different keys)

The wiki says nothing about this.

Is it a good/idea/discouraged/an alternative way/the next recommended way?

Thanks!

-- 
_________  ____
|         ||    |   Christophe Courtois
|         ||__  |   Consultant DALIBO
|         |   | |   43, rue du Faubourg Montmartre
|    -    |  / /    75009 Paris
|___| |___|  \/     www.dalibo.com







^ permalink  raw  reply  [nested|flat] 3+ messages in thread

end of thread, other threads:[~2025-10-10 08:27 UTC | newest]

Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-10-05 13:33 should postgresql-common depend on ca-certificates? Peter Eisentraut <[email protected]>
2025-10-09 15:12 ` Christoph Berg <[email protected]>
2025-10-10 08:27   ` Christophe Courtois <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox