From d3213963281a4f910b78679dad35bf59ddbd721c Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 23 Jul 2013 20:09:05 +0200 Subject: debian/apt.postinst: * debian/apt.postinst: - run /etc/kernel/postinst.d/apt-auto-removal once on upgrade to ensure that the correct auto-removal list is generated (closes: #717615) --- debian/apt.postinst | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'debian/apt.postinst') diff --git a/debian/apt.postinst b/debian/apt.postinst index bd814e1af..9ff1e031c 100644 --- a/debian/apt.postinst +++ b/debian/apt.postinst @@ -28,6 +28,10 @@ case "$1" in chmod -f 0640 /var/log/apt/term.log* || true fi + # create kernel autoremoval blacklist on update + if dpkg --compare-versions "$2" lt-nl 0.9.9.3; then + /etc/kernel/postinst.d/apt-auto-removal + fi ;; abort-upgrade|abort-remove|abort-deconfigure) -- cgit v1.2.3-70-g09d2 From f9e64e7bb0c125b54f0699d9e08956a88b467a7f Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 12 Aug 2013 00:19:10 +0200 Subject: use a tmpfile for trustdb.gpg in apt-key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit for some "interesting" reason gpg decides that it needs to update its trustdb.gpg file in a --list-keys command even if right before gpg is asked to --check-trustdb. That wouldn't be as bad if it wouldn't modify the keyring being listed at that moment as well, which generates not only warnings which are not a problem for us, but as the keyring modified can be in /usr it modified files which aren't allowed to be modified. The suggested solution in the bugreport is running --check-trustdb unconditionally in an 'apt-key update' call, but this command will not be used in the future and this could still potentially bite us in net-update or adv calls. All of this just to keep a file around, which we do not need… The commit therefore switches to the use of a temporary created trusted.gpg file for everyone and asks gpg to not try to update the trustdb after its intial creation, which seems to avoid the problem altogether. It is using your also faked secring btw as calling the check-trustdb without a keyring is a lot slower … Closes: #687611 Thanks: Andreas Beckmann for the initial patch! --- cmdline/apt-key | 36 ++++++++++++++++++------------------ debian/apt.postinst | 13 +++++++++---- 2 files changed, 27 insertions(+), 22 deletions(-) (limited to 'debian/apt.postinst') diff --git a/cmdline/apt-key b/cmdline/apt-key index 4596e4a47..e010e6e90 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -3,26 +3,26 @@ set -e unset GREP_OPTIONS -# We don't use a secret keyring, of course, but gpg panics and -# implodes if there isn't one available -SECRETKEYRING="$(mktemp)" -CURRENTTRAP="rm -f '${SECRETKEYRING}';" -trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM -GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}" +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" -eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) -if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then - # root can read/create the file as needed, so use the default - true -else - # gpg needs a trustdb to function, but it can't be invalid (not even empty) - # so we create a tempory directory to store our fresh readable trustdb in - TRUSTDBDIR="$(mktemp -d)" - CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" - trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM - chmod 700 "$TRUSTDBDIR" -fi +# gpg needs a trustdb to function, but it can't be invalid (not even empty) +# so we create a temporary directory to store our fresh readable trustdb in +TRUSTDBDIR="$(mktemp -d)" +CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" +trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM +chmod 700 "$TRUSTDBDIR" +# We also don't use a secret keyring, of course, but gpg panics and +# implodes if there isn't one available - and writeable for imports +SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" +touch $SECRETKEYRING +GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" + +# now create the trustdb with an (empty) dummy keyring +$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING +# and make sure that gpg isn't trying to update the file +GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" + GPG="$GPG_CMD" MASTER_KEYRING="" diff --git a/debian/apt.postinst b/debian/apt.postinst index 9ff1e031c..caa05ccdf 100644 --- a/debian/apt.postinst +++ b/debian/apt.postinst @@ -15,10 +15,15 @@ set -e case "$1" in configure) - SECRING='/etc/apt/secring.gpg' - # test if secring is an empty normal file - if test -f $SECRING -a ! -s $SECRING; then - rm -f $SECRING + if dpkg --compare-versions "$2" lt-nl 0.9.9.5; then + # we are using tmpfiles for both + rm -f /etc/apt/trustdb.gpg + # this removal was done unconditional since 0.8.15.3 + SECRING='/etc/apt/secring.gpg' + # test if secring is an empty normal file + if test -f $SECRING -a ! -s $SECRING; then + rm -f $SECRING + fi fi apt-key update -- cgit v1.2.3-70-g09d2 From ec9272975f454d3911e61e5cc3b29fe90fe2ee54 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 12 Aug 2013 17:26:54 +0200 Subject: do not call 'apt-key update' in apt.postinst The debian-archive-keyring package ships trusted.gpg.d fragment files for a while now and dropped their call to 'apt-key update', so there is no need for use to call it as the keys will always be available. This also finally allows a user to remove key(ring)s without APT to overriding this decision by readding them with this step. The functionality is kept around in the odd case that an old debian-archive-keyring package is used which still calls 'apt-key update' and depends on the import (hence, we also do not enforce a newer version of the debian-archive-keyring via our dependencies) --- debian/apt.postinst | 1 - 1 file changed, 1 deletion(-) (limited to 'debian/apt.postinst') diff --git a/debian/apt.postinst b/debian/apt.postinst index caa05ccdf..70de237d0 100644 --- a/debian/apt.postinst +++ b/debian/apt.postinst @@ -25,7 +25,6 @@ case "$1" in rm -f $SECRING fi fi - apt-key update # ensure tighter permissons on the logs, see LP: #975199 if dpkg --compare-versions "$2" lt-nl 0.9.7.7; then -- cgit v1.2.3-70-g09d2