You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
To install any PHP package from the repository the package debsuryorg-archive-keyring must be installed as well because it is a hard dependency of php-common. This package does not only put the sury keys into /usr/share/keyrings but also installs a key into the implicit trust store /etc/apt/trusted.gpg.d. I understand this was done to trick old installations into using a new key without manual intervention (or approval for that matter...)
Describe the solution you'd like
I would like to remove the keyring package as I prefer to have a clean /etc/apt/trusted.gpg.d and am able to do key management myself. Since php-common does not actually need debsuryorg-archive-keyring to function its metadata should be updated to remove the fake dependency. A Recommends should be sufficient to prevent autoremove from removing the package even if it was automatically installed, but still allows manual removal.
Describe alternatives you've considered
Just dropping the dependency altogether might break old installations again because debsuryorg-archive-keyring is merely automatically installed and could be removed by autoremove at some point.
Likewise removing the /etc/apt/trusted.gpg.d file from the keyring package will break old installations that lack the [signed-by=/usr/share/keyrings/...] tag in their sources.list.
However this could be made to work by adding a postinst script to the keyring package that scans the apt sources for the sury repository and only if it lacks the signed-by tag copies one of the files from /usr/share/keyrings to /etc/apt/trusted.gpg.d. Probably too unreliable
A different solution would be to mark the debsury-archive-keyring package as manually installed in some postinst script and then drop the dependency altogether. New installations will already have this package manually installed as per the README.txt installation instructions.
A workaround for end users is to create a fake/empty package with equivs that provides debsury-archive-keyring solely to fulfill the dependency of php-common. Then the real debsury-archive-keyring package can be uninstalled. This is an ugly workaround since it will leave a package lacking a repository source in your system, which APT frontends consider an obsolete package.
Distribution (please complete the following information):
OS: Debian
Architecture: -
Repository: packages.sury.org
Package(s) (please complete the following information):
Frequently asked questions
Is your feature request related to a problem? Please describe.
To install any PHP package from the repository the package
debsuryorg-archive-keyring
must be installed as well because it is a hard dependency ofphp-common
. This package does not only put the sury keys into/usr/share/keyrings
but also installs a key into the implicit trust store/etc/apt/trusted.gpg.d
. I understand this was done to trick old installations into using a new key without manual intervention (or approval for that matter...)Describe the solution you'd like
I would like to remove the keyring package as I prefer to have a clean
/etc/apt/trusted.gpg.d
and am able to do key management myself. Sincephp-common
does not actually needdebsuryorg-archive-keyring
to function its metadata should be updated to remove the fake dependency. ARecommends
should be sufficient to preventautoremove
from removing the package even if it was automatically installed, but still allows manual removal.Describe alternatives you've considered
Just dropping the dependency altogether might break old installations again because
debsuryorg-archive-keyring
is merely automatically installed and could be removed byautoremove
at some point.Likewise removing the
/etc/apt/trusted.gpg.d
file from the keyring package will break old installations that lack the[signed-by=/usr/share/keyrings/...]
tag in their sources.list.postinst
script to the keyring package that scans the apt sources for the sury repository and only if it lacks the signed-by tag copies one of the files from/usr/share/keyrings
to/etc/apt/trusted.gpg.d
. Probably too unreliableA different solution would be to mark the
debsury-archive-keyring
package as manually installed in some postinst script and then drop the dependency altogether. New installations will already have this package manually installed as per the README.txt installation instructions.A workaround for end users is to create a fake/empty package with
equivs
that providesdebsury-archive-keyring
solely to fulfill the dependency ofphp-common
. Then the realdebsury-archive-keyring
package can be uninstalled. This is an ugly workaround since it will leave a package lacking a repository source in your system, which APT frontends consider an obsolete package.Distribution (please complete the following information):
Package(s) (please complete the following information):
Additional context
-
The text was updated successfully, but these errors were encountered: