Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgsql-pkg-debian-owner+archive@lists.postgresql.org>)
	id 1oufjh-0001I3-AM
	for pgsql-pkg-debian@arkaria.postgresql.org; Mon, 14 Nov 2022 20:07:17 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgsql-pkg-debian-owner+archive@lists.postgresql.org>)
	id 1oufjf-0003jR-Og
	for pgsql-pkg-debian@arkaria.postgresql.org; Mon, 14 Nov 2022 20:07:15 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <aaron@pavely.net>)
	id 1oufjf-0003jI-0j
	for pgsql-pkg-debian@lists.postgresql.org; Mon, 14 Nov 2022 20:07:15 +0000
Received: from mail-ej1-x631.google.com ([2a00:1450:4864:20::631])
	by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.92)
	(envelope-from <aaron@pavely.net>)
	id 1oufjb-0006bM-Ix
	for pgsql-pkg-debian@lists.postgresql.org; Mon, 14 Nov 2022 20:07:13 +0000
Received: by mail-ej1-x631.google.com with SMTP id 13so31140330ejn.3
        for <pgsql-pkg-debian@lists.postgresql.org>;
 Mon, 14 Nov 2022 12:07:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=pavely.net; s=google;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=0CSze+bb71WS3yCl5TjzxbCqRbRf/nz3dzMKW3cxeZs=;
        b=AxTAAtv/IyEyO2TsNSf2bnf0VwJI0IGsPwIqI0wo/3DGHl8u4dWlvunwZ5/WW6FrTy
         I5s4PiKByH7XxDzKf4ihnMdU/vKAwPsURDL9t2P+S+GGEnxuaoO15Pe3DREXzhZpOmW+
         GHKwUlnTe9nkigKDYQqYT84tUAPNbz1ZSgkJU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=0CSze+bb71WS3yCl5TjzxbCqRbRf/nz3dzMKW3cxeZs=;
        b=mxGpP3RmtGweUGaXWQywPy6YRdnBIEvX4TOGDqmyuObYEasCpzy/+P0xMjdqXbPAx4
         LC3f7QhGFzHoZ/lrBuNre3upsGBzjPDkDL+4LQkJb65grizEwg9Bl6q2zOY5enq3fd2g
         LWjKa1urF/k5tE8LrO/yBgVKiEq5hr3ely13gLRkCpNT98e8PvZ1qHcb0plSrAqduIsv
         LLm42PKBuWRgrGnMIwnCuGGIw2X6SIAKWoC2VjbyGyJvI0insWcyMROC9gRaj4Ymr2xm
         DyI4zy/Oj0GWDKpjwPMko5FSP/96U6uzYINaRzvjhK2B85+aqsqBy0YfewX3mcRBPJHV
         MO4g==
X-Gm-Message-State: ANoB5pkwmKbcg8x2kKsSmKLu9FBBGJtWg0953D4fKp87WccrwDpsmjRj
	Vp5RMT/84xw4o+eBTX1LDHqMv8a0vC4VW1BSI35Arg==
X-Google-Smtp-Source: 
 AA0mqf7pOmyFgDZShUp3bdk8+TuoK+SV2fzJ0sSDTR5r3uQITL+bAy04kBIZaRCbkmuY3dQvrFVtrLDej4f/bx2L2WI=
X-Received: by 2002:a17:907:7f27:b0:78c:b8b0:9d35 with SMTP id
 qf39-20020a1709077f2700b0078cb8b09d35mr11624033ejc.586.1668456429639; Mon, 14
 Nov 2022 12:07:09 -0800 (PST)
MIME-Version: 1.0
References: <Y25+RkZxiZKBOKio@msg.df7cb.de>
In-Reply-To: <Y25+RkZxiZKBOKio@msg.df7cb.de>
From: Aaron Pavely <aaron@pavely.net>
Date: Mon, 14 Nov 2022 14:06:58 -0600
Message-ID: 
 <CAGs4muUPqUY9iW-c3309C2H5Q8zrH4E1oA4oBaKK933EftggHw@mail.gmail.com>
Subject: Re: Repository key handling changed
To: Christoph Berg <myon@debian.org>,
	PostgreSQL in Debian <pgsql-pkg-debian@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000cff84305ed73c80e"
List-Id: <pgsql-pkg-debian.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-debian@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-debian-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-debian>
Archived-At: 
 <https://www.postgresql.org/message-id/CAGs4muUPqUY9iW-c3309C2H5Q8zrH4E1oA4oBaKK933EftggHw%40mail.gmail.com>
Precedence: bulk

--000000000000cff84305ed73c80e
Content-Type: text/plain; charset="UTF-8"

On Fri, Nov 11, 2022 at 10:54 AM Christoph Berg <myon@debian.org> wrote:

> Hi,
>
> previously, when installing postgresql-common from apt.postgresql.org,
> it would pull in the pgdg-keyring package that contains the key for
> the repository:
>
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
> /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg ->
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
>
> In postgresql-common 246, this has been changed such that
> postgresql-common itself contains the key files, and the trusted.gpg.d
> symlink is created when a /etc/apt/sources.list.d/pgdg.list is found.
>
> On upgrade, pgdg-keyring will be removed, but since the same set of
> files is provided, nothing should change.
>
> One caveat is that pgdg-keyring has
> /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg
> marked as conffile, so if the package is purged after the removal, the
> .gpg file
> will be removed. (Workaround: reinstall postgresql-common, or don't
> purge pgdg-keyring, or use an explicit key file (see below))
>
>
> Additionally the apt.postgresql.org.sh installer script [1] has been
> updated to write /etc/apt/sources.list.d/pgdg.sources in the modern
> deb-822 style. By default it looks like this:
>
> $ cat /etc/apt/sources.list.d/pgdg.sources
> Types: deb
> URIs: https://apt.postgresql.org/pub/repos/apt
> Suites: bullseye-pgdg
> Components: main
> Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
>
> [1]
> https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh
>
> The advantage is that the key for the repository is explicitly
> specified, and the URI scheme has been upgraded to https://.
> (Make sure systems have ca-certificates installed!)
>
>
> I have not yet upgraded the installation instructions on
> https://wiki.postgresql.org/wiki/Apt yet, since they are compatible
> with either version of the key/scripts, but will do so over the next
> days.
>
>
> If you have questions, follow up here or ask on #postgresql-apt on
> libera.
>
> Christoph
>

I am wondering if the repository keys should have gone into
postgresql-client-common, since there are cases where one will have
postgresql-client-common installed, but not postgresql-common (e.g., hosts
needing only the client libraries).

-- Aaron

--000000000000cff84305ed73c80e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"></div><div class=3D"gmail_quote"><div dir=
=3D"ltr" class=3D"gmail_attr">On Fri, Nov 11, 2022 at 10:54 AM Christoph Be=
rg &lt;<a href=3D"mailto:myon@debian.org">myon@debian.org</a>&gt; wrote:<br=
></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;=
border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
previously, when installing postgresql-common from <a href=3D"http://apt.po=
stgresql.org" rel=3D"noreferrer" target=3D"_blank">apt.postgresql.org</a>,<=
br>
it would pull in the pgdg-keyring package that contains the key for<br>
the repository:<br>
<br>
/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc<br>
/usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg<br>
/etc/apt/trusted.gpg.d/apt.postgresql.org.gpg -&gt; /usr/share/postgresql-c=
ommon/pgdg/apt.postgresql.org.gpg<br>
<br>
In postgresql-common 246, this has been changed such that<br>
postgresql-common itself contains the key files, and the trusted.gpg.d<br>
symlink is created when a /etc/apt/sources.list.d/pgdg.list is found.<br>
<br>
On upgrade, pgdg-keyring will be removed, but since the same set of<br>
files is provided, nothing should change.<br>
<br>
One caveat is that pgdg-keyring has /etc/apt/trusted.gpg.d/apt.postgresql.o=
rg.gpg<br>
marked as conffile, so if the package is purged after the removal, the .gpg=
 file<br>
will be removed. (Workaround: reinstall postgresql-common, or don&#39;t<br>
purge pgdg-keyring, or use an explicit key file (see below))<br>
<br>
<br>
Additionally the <a href=3D"http://apt.postgresql.org.sh" rel=3D"noreferrer=
" target=3D"_blank">apt.postgresql.org.sh</a> installer script [1] has been=
<br>
updated to write /etc/apt/sources.list.d/pgdg.sources in the modern<br>
deb-822 style. By default it looks like this:<br>
<br>
$ cat /etc/apt/sources.list.d/pgdg.sources<br>
Types: deb<br>
URIs: <a href=3D"https://apt.postgresql.org/pub/repos/apt" rel=3D"noreferre=
r" target=3D"_blank">https://apt.postgresql.org/pub/repos/apt</a><br>
Suites: bullseye-pgdg<br>
Components: main<br>
Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg<br>
<br>
[1] <a href=3D"https://salsa.debian.org/postgresql/postgresql-common/-/raw/=
master/pgdg/apt.postgresql.org.sh" rel=3D"noreferrer" target=3D"_blank">htt=
ps://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.po=
stgresql.org.sh</a><br>
<br>
The advantage is that the key for the repository is explicitly<br>
specified, and the URI scheme has been upgraded to https://.<br>
(Make sure systems have ca-certificates installed!)<br>
<br>
<br>
I have not yet upgraded the installation instructions on<br>
<a href=3D"https://wiki.postgresql.org/wiki/Apt" rel=3D"noreferrer" target=
=3D"_blank">https://wiki.postgresql.org/wiki/Apt</a> yet, since they are co=
mpatible<br>
with either version of the key/scripts, but will do so over the next<br>
days.<br>
<br>
<br>
If you have questions, follow up here or ask on #postgresql-apt on<br>
libera.<br>
<br>
Christoph<br></blockquote><div><br></div><div>I am wondering if the reposit=
ory keys should have gone into postgresql-client-common, since there are ca=
ses where one will have postgresql-client-common installed, but not postgre=
sql-common (e.g., hosts needing only the client libraries).</div><div><br><=
/div><div>-- Aaron</div></div></div>

--000000000000cff84305ed73c80e--