public inbox for [email protected]
help / color / mirror / Atom feedshould postgresql-common depend on ca-certificates?
3+ messages / 3 participants
[nested] [flat]
* should postgresql-common depend on ca-certificates?
@ 2025-10-05 13:33 Peter Eisentraut <[email protected]>
2025-10-09 15:12 ` Re: should postgresql-common depend on ca-certificates? Christoph Berg <[email protected]>
0 siblings, 1 reply; 3+ messages in thread
From: Peter Eisentraut @ 2025-10-05 13:33 UTC (permalink / raw)
To: PostgreSQL on Debian and Ubuntu <[email protected]>
If I follow the Quickstart at
https://wiki.postgresql.org/wiki/Apt#Quickstart but use
--no-install-recommends, things don't quite work. (I realize I'm going
off the well-trodden path, but this is useful for CI setups to avoid
installing packages you don't strictly need.) For example, on Ubuntu 24.04:
apt-get update
apt-get -y --no-install-recommends install gnupg postgresql-common
/usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y
Then you get warnings like this:
Certificate verification failed: The certificate is NOT trusted. The
certificate issuer is unknown. Could not handshake: Error in the
certificate verification. [IP: 151.101.3.52 443]
W: https://apt.postgresql.org/pub/repos/apt/dists/noble-pgdg/InRelease:
No system certificates available. Try installing ca-certificates.
When you install ca-certificates, then the whole thing works.
Apparently, there is a "recommends" dependency somewhere down the chain,
but postgresql-common itself doesn't mention it.
I don't know what the right solution is, but maybe a combination of
1) postgresql-common at least "suggests" ca-certificates.
2) apt.postgresql.org.sh should do more checking that the setup it
creates actually works.
3) The wiki page quickstart makes more explicit mention of
ca-certificates. (It is mentioned for the manual setup.)
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: should postgresql-common depend on ca-certificates?
2025-10-05 13:33 should postgresql-common depend on ca-certificates? Peter Eisentraut <[email protected]>
@ 2025-10-09 15:12 ` Christoph Berg <[email protected]>
2025-10-10 08:27 ` Re: should postgresql-common depend on ca-certificates? Christophe Courtois <[email protected]>
0 siblings, 1 reply; 3+ messages in thread
From: Christoph Berg @ 2025-10-09 15:12 UTC (permalink / raw)
To: Peter Eisentraut <[email protected]>; +Cc: PostgreSQL on Debian and Ubuntu <[email protected]>
Re: Peter Eisentraut
> Certificate verification failed: The certificate is NOT trusted. The
> certificate issuer is unknown. Could not handshake: Error in the
> certificate verification. [IP: 151.101.3.52 443]
> W: https://apt.postgresql.org/pub/repos/apt/dists/noble-pgdg/InRelease: No
> system certificates available. Try installing ca-certificates.
Good point, thanks for bringing this up.
> I don't know what the right solution is, but maybe a combination of
>
> 1) postgresql-common at least "suggests" ca-certificates.
In my view, the apt.postgresql.org.sh script is just a side-feature of
that package, so adding a ca-certificates dependency would be wrong.
And recommends/suggests don't really solve the problem.
> 2) apt.postgresql.org.sh should do more checking that the setup it creates
> actually works.
Maybe. Otoh people (or CI setups) might run the script, and do the
package installation later. I'd also wouldn't quite know what to check
there, except for running `apt update` which it is already doing.
> 3) The wiki page quickstart makes more explicit mention of ca-certificates.
> (It is mentioned for the manual setup.)
I added "ca-certificates" to the TL;DR recipe. That makes it less
crisp, but now it's guaranteed to work.
Christoph
^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: should postgresql-common depend on ca-certificates?
2025-10-05 13:33 should postgresql-common depend on ca-certificates? Peter Eisentraut <[email protected]>
2025-10-09 15:12 ` Re: should postgresql-common depend on ca-certificates? Christoph Berg <[email protected]>
@ 2025-10-10 08:27 ` Christophe Courtois <[email protected]>
0 siblings, 0 replies; 3+ messages in thread
From: Christophe Courtois @ 2025-10-10 08:27 UTC (permalink / raw)
To: PostgreSQL on Debian and Ubuntu <[email protected]>
Le 09/10/2025 à 17:12, Christoph Berg a écrit :
(✂️✂️✂️)
>> 3) The wiki page quickstart makes more explicit mention of ca-certificates.
>> (It is mentioned for the manual setup.)
> I added "ca-certificates" to the TL;DR recipe. That makes it less
> crisp, but now it's guaranteed to work.
BTW: I recently discovered that the PGDG repository can be installed
with "extrepo enable postgresql" (same URL, different keys)
The wiki says nothing about this.
Is it a good/idea/discouraged/an alternative way/the next recommended way?
Thanks!
--
_________ ____
| || | Christophe Courtois
| ||__ | Consultant DALIBO
| | | | 43, rue du Faubourg Montmartre
| - | / / 75009 Paris
|___| |___| \/ www.dalibo.com
^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2025-10-10 08:27 UTC | newest]
Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-10-05 13:33 should postgresql-common depend on ca-certificates? Peter Eisentraut <[email protected]>
2025-10-09 15:12 ` Christoph Berg <[email protected]>
2025-10-10 08:27 ` Christophe Courtois <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox