-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Instructions back to the list, in case this is of more general interest.

Dixi quod…

>>What is your opinion about staying current with security updates for
>>this specifically crafted package?
>
>If I know I have users I can stay on top of other updates with this
>package. For simplicity I’d probably follow uploads to unstable and
>rebuild these, with the sysvinit patchset added, within bullseye; I

I’ve done that and I’ll keep up with Markus’ uploads to sid as much
as possible. (I even had to add a patch to make it buildable on
bullseye already, but then the bullseye-security upload is going to
need that exact patch, too.)

>have successfully used the binary packages coming from that as well
>on a buster system, so this should cover three releases.

I have indeed tested the latest version on buster, and it works.
Though, my testing is (currently) really minimal as I’m not in a
Java project at the moment. Nevertheless, my employer, ⮡ tarent,
has sponsored some of my time working on this project again.

>One thing I have already done is to “split” the packages in my APT
>repo so that those I consider “LTS” are available without pulling

The repository is available at http://www.mirbsd.org/~tg/Debs/
though the https on that server is TLSv1 only, which your browser
may not like without reconfiguration so I’ve set up a mirror at
https://caas.mirbsd.org:444/Debs/ (actually the latter is just a
view of the main repo storage on the box, so it’ll be inconsistent
during package updates for a longer time, say an half hour or so,
instead of just for a few seconds as the first URL, but it’s good
to obtain the PGP key, for example, using https as extra trust-y
anchor; the repo/packages themselves use Secure APT via PGP anyway).

Let’s discuss enabling the repository first.

If you use the “extrepo” package, it’s as easy as enabling the
“wtf-lts” repo, if you’re on buster or bullseye. If you’re on
bookworm/testing or sid, you’ll currently need to set up the
full “wtf” repository with sid as release; since you wrote you’ll
use pinning anyway, this should not be a problem.

If you don’t use the “extrepo” package, you’ll need to first let
apt know the PGP key. The “modern” but pre-bookworm way is to get
https://caas.mirbsd.org:444/Debs/wtf-debian-keyring.gpg and
https://caas.mirbsd.org:444/Debs/wtf-debian-keyring.gpg.asc then
use the latter with my Debian Developer key to verify the former.
My DD key is shipped in the package debian-keyring, and I’m using
it to sign this message, too. You can for example do:
$ gpg --keyring /usr/share/keyrings/debian-keyring.gpg \
    wtf-debian-keyring.gpg.asc
Once verified, place wtf-debian-keyring.gpg into /etc/apt/trusted.gpg.d/
(however, see below regarding the keyring packagre) and as next step, add
an appropriate sources.list(.d) line, such as:
 deb http://www.mirbsd.org/~tg/Debs/ bullseye lts

The bookworm way is to load https://caas.mirbsd.org:444/Debs/wtf.sources
(and .asc again) instead and place that into /etc/apt/sources.list.d/
and it will replace *both* the trusted key *and* the sources.list entry
by placing the key with the entry in the new “long” format, so it’s only
used for this repository. This doesn’t yet work in bullseye, AFAIK :/

Neither will get you auto-updates for the key. See below for that.

>in other “alternative” versions of packages, so it can safely be
>added to most systems. The current set of packages for bullseye is:

You wrote you need only tomcat and prefer pinning. You can do pinning;
basically, you need to pin down all packages from the repository except
the binary packages from the tomcat9 source package, which are:
 libtomcat9-embed-java deb java optional arch=all
 libtomcat9-java deb java optional arch=all
 tomcat9 deb java optional arch=all
 tomcat9-admin deb java optional arch=all
 tomcat9-common deb java optional arch=all
 tomcat9-docs deb doc optional arch=all
 tomcat9-examples deb java optional arch=all
 tomcat9-user deb java optional arch=all

I’ve not had much success with pinning myself, other than to tell apt
to never install systemd at all, and to force specific versions for
packages. But maybe you figure it out and will share it for everyone?

The repository (independent of whether you use the lts or wtf component)
uses the following identification:

Origin: The MirOS Project
Label: wtf
Suite: bullseye or sid etc…
Codename: bullseye or sid etc…

So I think you should be able to pin with o= (space might be tricky)
and l= according to apt_preferences(5)… anyway, do tell us if it works
(otherwise, we’ll need to prod at it together, until it’s going to).

>• wtf-debian-keyring (the keyring package for this repo)

You wrote:
|Keyring behavior has been changed (to be more cumbersome for an user, I
|think) on Bullseye. Does this still work?

It does. This package still uses the “oldold” way, in that apt-key(8)
is called from postinst. It warns loudly about that. (It might no longer
work on bookworm/sid though.)

I had planned on splitting this package up into old and newer flavours
and have the newer one place a file in /etc/apt/trusted.gpg.d/ as
mentioned above, but the “put the key together with the sources entry”
method really has benefits, so I’m undecided.

For now, if you want the keyring package, either get that over https
and trust that or run “apt-key add wtf-debian-keyring.gpg” instead of
placing the file in /etc/apt/trusted.gpg.d/ and then install the keyring
package using normal apt-get. (The keyring package does ensure the keys
are properly removed on purge; it will also do so when I switch the method.)

In the RPM world, there’s a concept called “release package” (e.g. you do
“yum install epel-release” to install a package which contains both the
key and the sources.list equivalent of a repository) and this *MIGHT* be
a way to do this on Debian… the /etc/ placement is tricky however, and
it’d need lots of packages and the extrepo mechanism isn’t prepared for
it either. I think I’ll need to talk to people… (>>TODO)

bye,
//mirabilos
- -- 
> Wish I had pine to hand :-( I'll give lynx a try, thanks.

Michael Schmitz on nntp://news.gmane.org/gmane.linux.debian.ports.68k
a.k.a. {news.gmane.org/nntp}#news.gmane.linux.debian.ports.68k in pine

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (MirBSD)
Comment: ☃ ЦΤℱ—8 ☕☂☄

iQIcBAEBCQAGBQJipTSSAAoJEHa1NLLpkAfgoukP/A5h4evLIuwFXTmyvfkb04Xh
hWoMyUGoiS14UeZyKw+07HFaL1K4BkaDVSTm+owzqzZOUHD+TnC8hpHJTRe4Qwza
lp/tVH0d/cJry2iGT7+9Nzsz/HHUDD2AIH+Cygwk7XSUGYeohjirXjvg96+QjNwt
acuvbnpckZZzwdq+9cRYh2YHJWnfo/5uE8yVb/vofHHm4tN6/TqbnOaER0zMGKOq
0jQ8KSfZD2o4Noce1KmIcbjkbLLOqeSA9VHVRKXIGCoHphaRXwc+NUXywQjI0UC7
ICLwj3xpaRvKIhpCualOFSWceskZufjtLyO6HHsHvi/VeSwN9BfZSb3fQmUHTaDz
gvCbK5Yzs4Ixd2TFE0WpX2QYzqGnDRlvTbGGsywZhI+T/o60sR4cegezIB1Iet0p
sCUe+XyZrE1OIbLAwOHoXH/n8NICSLhDUGtXnYQA4bs8HMan20PvWB0WM7Wk2vMS
afCwPwkDWzdDUzWegHSpuNiQfr8jxm1Bj9Ime3FCSzz+ENzcJRBg13mmDZeF/JbS
ce7tqQ+NX59nh/dwseq4AvReWsBjvQPlpTawNpwHIUhIZMfS84K2SzVBfsXDEfXC
DW4/dK+guJ4G13esZHD6hUmzJgIedvzdJ5dE3FWx9RiW2M65UJaP+q8v9bnjpw2g
bjjeZm0OuE4+oUWJEE3h
=UaNI
-----END PGP SIGNATURE-----

Reply via email to