public inbox for [email protected]
help / color / mirror / Atom feedFrom: Aaron Pavely <[email protected]>
To: Christoph Berg <[email protected]>
To: PostgreSQL in Debian <[email protected]>
Subject: Re: Repository key handling changed
Date: Mon, 14 Nov 2022 14:06:58 -0600
Message-ID: <CAGs4muUPqUY9iW-c3309C2H5Q8zrH4E1oA4oBaKK933EftggHw@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
On Fri, Nov 11, 2022 at 10:54 AM Christoph Berg <[email protected]> wrote:
> Hi,
>
> previously, when installing postgresql-common from apt.postgresql.org,
> it would pull in the pgdg-keyring package that contains the key for
> the repository:
>
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
> /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg ->
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
>
> In postgresql-common 246, this has been changed such that
> postgresql-common itself contains the key files, and the trusted.gpg.d
> symlink is created when a /etc/apt/sources.list.d/pgdg.list is found.
>
> On upgrade, pgdg-keyring will be removed, but since the same set of
> files is provided, nothing should change.
>
> One caveat is that pgdg-keyring has
> /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg
> marked as conffile, so if the package is purged after the removal, the
> .gpg file
> will be removed. (Workaround: reinstall postgresql-common, or don't
> purge pgdg-keyring, or use an explicit key file (see below))
>
>
> Additionally the apt.postgresql.org.sh installer script [1] has been
> updated to write /etc/apt/sources.list.d/pgdg.sources in the modern
> deb-822 style. By default it looks like this:
>
> $ cat /etc/apt/sources.list.d/pgdg.sources
> Types: deb
> URIs: https://apt.postgresql.org/pub/repos/apt
> Suites: bullseye-pgdg
> Components: main
> Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
>
> [1]
> https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh
>
> The advantage is that the key for the repository is explicitly
> specified, and the URI scheme has been upgraded to https://.
> (Make sure systems have ca-certificates installed!)
>
>
> I have not yet upgraded the installation instructions on
> https://wiki.postgresql.org/wiki/Apt yet, since they are compatible
> with either version of the key/scripts, but will do so over the next
> days.
>
>
> If you have questions, follow up here or ask on #postgresql-apt on
> libera.
>
> Christoph
>
I am wondering if the repository keys should have gone into
postgresql-client-common, since there are cases where one will have
postgresql-client-common installed, but not postgresql-common (e.g., hosts
needing only the client libraries).
-- Aaron
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Repository key handling changed
In-Reply-To: <CAGs4muUPqUY9iW-c3309C2H5Q8zrH4E1oA4oBaKK933EftggHw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox