On Sun, 2024-05-19 at 07:41 +0200, Andreas Metzler wrote: > Thanks for the quick reply. You have installed gpgv-from-sq which > diverts "our" gpgv. (I will check a little bit more and reassign to > apt.)
Oh okay. I'd assumed that gpgv had dropped support for the argument either accidentally through a mistake with build args, or in a planned way that overlooked use by apt, I wasn't expecting some third party drop in to suddenly get installed with an imperfect emulation, I didn't even know there were alternative implementations available. I did notice the installation of the 'sq' packages but it happened as part of a normal upgrade, I didn't ask for them, and I assumed that it was just another splitting up of code to minimise attack surface after the recent high profile supply chain attack against ssh. So the 'sq' packages are actually a Rust-based alternative, that's great, big fan of Rust. However somehow it's gotten pulled in as a replacement now, without explicitly asking for it, when it's not actually fully ready for use as a replacement in Debian considering it's emulation is incomplete and it impacts something as critical as apt. Why did it get installed? Here's my apt log from early morning 2024-05- 17 having run `aptitude upgrade`: Install: gpgv-sq:amd64 (0.8.0-5, automatic), gpgv-from-sq:amd64 (0.8.0- 5, automatic), sq:amd64 (0.33.0-3, automatic) Upgrade: libwireshark17t64:amd64 (4.2.4-1, 4.2.5-1), libwireshark- data:amd64 (4.2.4-1, 4.2.5-1), udev:amd64 (256~rc2-1, 256~rc2-3), systemd-oomd:amd64 (256~rc2-1, 256~rc2-3), libgdk-pixbuf2.0-bin:amd64 (2.42.10+dfsg-3+b3, 2.42.12+dfsg-1), systemd-container:amd64 (256~rc2- 1, 256~rc2-3), libnss-myhostname:amd64 (256~rc2-1, 256~rc2-3), libpam- systemd:amd64 (256~rc2-1, 256~rc2-3), busybox:amd64 (1:1.36.1-6+b1, 1:1.36.1-7), gir1.2-gdkpixbuf-2.0:amd64 (2.42.10+dfsg-3+b3, 2.42.12+dfsg-1), python3-typing-extensions:amd64 (4.10.0-1, 4.11.0-1), libjavascriptcoregtk-4.1-0:amd64 (2.44.1-1+b1, 2.44.2-1), libsystemd0:amd64 (256~rc2-1, 256~rc2-3), gir1.2-javascriptcoregtk- 4.1:amd64 (2.44.1-1+b1, 2.44.2-1), python3-requests:amd64 (2.31.0+dfsg- 1, 2.31.0+dfsg-2), gir1.2-javascriptcoregtk-6.0:amd64 (2.44.1-1+b1, 2.44.2-1), libnss-systemd:amd64 (256~rc2-1, 256~rc2-3), gir1.2-webkit2- 4.1:amd64 (2.44.1-1+b1, 2.44.2-1), libgdk-pixbuf-2.0-0:amd64 (2.42.10+dfsg-3+b3, 2.42.12+dfsg-1), libjavascriptcoregtk-6.0-1:amd64 (2.44.1-1+b1, 2.44.2-1), libwiretap14t64:amd64 (4.2.4-1, 4.2.5-1), systemd:amd64 (256~rc2-1, 256~rc2-3), libudev1:amd64 (256~rc2-1, 256~rc2-3), libnss-mymachines:amd64 (256~rc2-1, 256~rc2-3), wireshark- common:amd64 (4.2.4-1, 4.2.5-1), gpgv:amd64 (2.2.43-3, 2.2.43-5), systemd-resolved:amd64 (256~rc2-1, 256~rc2-3), python3-numpy:amd64 (1:1.26.4+ds-8, 1:1.26.4+ds-9), libyuv0:amd64 (0.0.1888.20240509-3, 0.0.1888.20240509-4), libwebkit2gtk-4.1-0:amd64 (2.44.1-1+b1, 2.44.2- 1), libnss-resolve:amd64 (256~rc2-1, 256~rc2-3), libwsutil15t64:amd64 (4.2.4-1, 4.2.5-1), gir1.2-webkit-6.0:amd64 (2.44.1-1+b1, 2.44.2-1), libsystemd-shared:amd64 (256~rc2-1, 256~rc2-3), systemd-sysv:amd64 (256~rc2-1, 256~rc2-3), libwebkitgtk-6.0-4:amd64 (2.44.1-1+b1, 2.44.2- 1), wireshark:amd64 (4.2.4-1, 4.2.5-1), linux-libc-dev:amd64 (6.7.12-1, 6.8.9-1), libgdk-pixbuf2.0-common:amd64 (2.42.10+dfsg-3, 2.42.12+dfsg- 1) Having a quick look now at `gpgv-from-sq` and `gpgv-sq` in `aptitude - i`, I see nothing depending on the former, and only the former depends on the latter. There's also the `sq` package... I see `dpkg-dev` (which I have installed) lists `sq` as an alternative to a dependency on both `gpgv` and `gnupg`. Hmm. Ah, I recall that some gpg packages were held back from upgrade during this time. Only the `gpgv` package got upgraded in the above log. Only later in the day did the rest get upgraded: Install: linux-image-6.8.9-amd64:amd64 (6.8.9-1, automatic), linux- headers-6.8.9-common:amd64 (6.8.9-1, automatic), linux-kbuild- 6.8.9:amd64 (6.8.9-1, automatic), linux-headers-6.8.9-amd64:amd64 (6.8.9-1, automatic) Upgrade: gpg:amd64 (2.2.43-3, 2.2.43-6), linux-headers-amd64:amd64 (6.7.12-1, 6.8.9-1), gnupg:amd64 (2.2.43-3, 2.2.43-6), gpg-wks- server:amd64 (2.2.43-3, 2.2.43-6), gpg-agent:amd64 (2.2.43-3, 2.2.43- 6), linux-image-amd64:amd64 (6.7.12-1, 6.8.9-1), gpgv:amd64 (2.2.43-5, 2.2.43-6), gpgsm:amd64 (2.2.43-3, 2.2.43-6), dirmngr:amd64 (2.2.43-3, 2.2.43-6), 7zip:amd64 (24.05+dfsg-2, 24.05+dfsg-3), gnupg-utils:amd64 (2.2.43-3, 2.2.43-6), gnupg-l10n:amd64 (2.2.43-3, 2.2.43-6), gpg-wks- client:amd64 (2.2.43-3, 2.2.43-6), gpgconf:amd64 (2.2.43-3, 2.2.43-6), intel-microcode:amd64 (3.20240312.1, 3.20240514.1) So it seems that with some of the gpg packages held back, including `gnupg`, `aptitude upgrade` chose to pull in `sq` as a replacement. :/