| From: | Aaron Pavely <aaron(at)pavely(dot)net> |
|---|---|
| To: | Christoph Berg <myon(at)debian(dot)org>, PostgreSQL in Debian <pgsql-pkg-debian(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Repository key handling changed |
| Date: | 2022-11-14 20:06:58 |
| Message-ID: | CAGs4muUPqUY9iW-c3309C2H5Q8zrH4E1oA4oBaKK933EftggHw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-pkg-debian |
On Fri, Nov 11, 2022 at 10:54 AM Christoph Berg <myon(at)debian(dot)org> wrote:
> Hi,
>
> previously, when installing postgresql-common from apt.postgresql.org,
> it would pull in the pgdg-keyring package that contains the key for
> the repository:
>
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
> /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg ->
> /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
>
> In postgresql-common 246, this has been changed such that
> postgresql-common itself contains the key files, and the trusted.gpg.d
> symlink is created when a /etc/apt/sources.list.d/pgdg.list is found.
>
> On upgrade, pgdg-keyring will be removed, but since the same set of
> files is provided, nothing should change.
>
> One caveat is that pgdg-keyring has
> /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg
> marked as conffile, so if the package is purged after the removal, the
> .gpg file
> will be removed. (Workaround: reinstall postgresql-common, or don't
> purge pgdg-keyring, or use an explicit key file (see below))
>
>
> Additionally the apt.postgresql.org.sh installer script [1] has been
> updated to write /etc/apt/sources.list.d/pgdg.sources in the modern
> deb-822 style. By default it looks like this:
>
> $ cat /etc/apt/sources.list.d/pgdg.sources
> Types: deb
> URIs: https://apt.postgresql.org/pub/repos/apt
> Suites: bullseye-pgdg
> Components: main
> Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.gpg
>
> [1]
> https://salsa.debian.org/postgresql/postgresql-common/-/raw/master/pgdg/apt.postgresql.org.sh
>
> The advantage is that the key for the repository is explicitly
> specified, and the URI scheme has been upgraded to https://.
> (Make sure systems have ca-certificates installed!)
>
>
> I have not yet upgraded the installation instructions on
> https://wiki.postgresql.org/wiki/Apt yet, since they are compatible
> with either version of the key/scripts, but will do so over the next
> days.
>
>
> If you have questions, follow up here or ask on #postgresql-apt on
> libera.
>
> Christoph
>
I am wondering if the repository keys should have gone into
postgresql-client-common, since there are cases where one will have
postgresql-client-common installed, but not postgresql-common (e.g., hosts
needing only the client libraries).
-- Aaron
| From | Date | Subject | |
|---|---|---|---|
| Next Message | apt.postgresql.org Repository Update | 2022-11-15 13:12:59 | pgauditlogtofile updated to version 1.5.9-1.pgdg+1 |
| Previous Message | Alexandre Pereira bühler | 2022-11-14 16:35:17 | Debian bullseye - upgrade to postgresql 15.1 broke apt-get |