Package: debian-archive-keyring Version: 2006.11.22 Severity: serious debian-archive-keyring does not depent on an apt that comes with apt-key, so in the course of upgrading from sarge to etch one can end up with a system that has only two keys in apt's keyring, the signing keys from 2005 and 2006 which are shipped with apt itself.
In the case where I found this I just did an apt-get dist-upgrade from a quite minimal system, but the issue can easily triggered manually: | [EMAIL PROTECTED]:/# echo 'deb http://ftp.tu-graz.ac.at/mirror/debian/ etch main' > /etc/apt/sources.list | [EMAIL PROTECTED]:/# apt-get update | Get:1 http://ftp.tu-graz.ac.at etch/main Packages [5600kB] | Get:2 http://ftp.tu-graz.ac.at etch/main Release [81B] | Fetched 5600kB in 1s (3851kB/s) | Reading Package Lists... Done | [EMAIL PROTECTED]:/# apt-get install debian-archive-keyring | Reading Package Lists... Done | Building Dependency Tree... Done | The following extra packages will be installed: | gnupg gpgv libbz2-1.0 libc6 libc6-dev libgcrypt11 libgnutls13 libgpg-error0 libldap2 liblzo1 libncurses5 libopencdk8 libreadline5 libsasl2 libtasn1-3 | libusb-0.1-4 makedev readline-common tzdata | Suggested packages: | gnupg-doc xloadimage locales glibc-doc manpages-dev rng-tools gnutls-bin hotplug | Recommended packages: | libgpmg1 libsasl2-modules libtasn1-3-bin | The following NEW packages will be installed: | debian-archive-keyring gnupg gpgv libbz2-1.0 libgcrypt11 libgnutls13 libgpg-error0 libldap2 liblzo1 libopencdk8 libreadline5 libsasl2 libtasn1-3 | libusb-0.1-4 makedev readline-common tzdata | The following packages will be upgraded: | libc6 libc6-dev libncurses5 | 3 upgraded, 17 newly installed, 0 to remove and 62 not upgraded. | Need to get 810kB/11.5MB of archives. | After unpacking 11.9MB of additional disk space will be used. | Do you want to continue? [Y/n] [...] | | Setting up gpgv (1.4.5-2) ... | Setting up makedev (2.3.1-83) ... | | Setting up gnupg (1.4.5-2) ... | Setting up debian-archive-keyring (2006.11.22) ... | | [EMAIL PROTECTED]:/# | [EMAIL PROTECTED]:/# apt-get install apt | Reading Package Lists... Done | Building Dependency Tree... Done | The following extra packages will be installed: | gcc-4.1-base libgcc1 libstdc++6 | Suggested packages: | aptitude synaptic gnome-apt wajig apt-doc bzip2 | The following NEW packages will be installed: | gcc-4.1-base libstdc++6 | The following packages will be upgraded: | apt libgcc1 | 2 upgraded, 2 newly installed, 0 to remove and 60 not upgraded. | Need to get 0B/1947kB of archives. | | (Reading database ... 8093 files and directories currently installed.) | Preparing to replace apt 0.5.28.6 (using .../archives/apt_0.6.46.2_i386.deb) ... | Unpacking replacement apt ... | Setting up apt (0.6.46.2) ... | | [EMAIL PROTECTED]:/# apt-key list | gpg: /etc/apt/trustdb.gpg: trustdb created | /etc/apt/trusted.gpg | -------------------- | pub 1024D/4F368D5D 2005-01-31 [expired: 2006-01-31] | uid Debian Archive Automatic Signing Key (2005) <[EMAIL PROTECTED]> | | pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07] | uid Debian Archive Automatic Signing Key (2006) <[EMAIL PROTECTED]> | | [EMAIL PROTECTED]:/# Also, when doing it in one go this happens: [on a fresh sarge again:] | [EMAIL PROTECTED]:/# echo 'deb http://ftp.tu-graz.ac.at/mirror/debian/ etch main' > /etc/apt/sources.list | [EMAIL PROTECTED]:/# apt-get update | Get:1 http://ftp.tu-graz.ac.at etch/main Packages [5600kB] | Get:2 http://ftp.tu-graz.ac.at etch/main Release [81B] | Fetched 5600kB in 1s (3976kB/s) | Reading Package Lists... Done | [EMAIL PROTECTED]:/# apt-get install apt | Reading Package Lists... Done | Building Dependency Tree... Done | The following extra packages will be installed: | debian-archive-keyring gcc-4.1-base gnupg gpgv libbz2-1.0 libc6 libc6-dev libgcc1 libgcrypt11 libgnutls13 libgpg-error0 libldap2 liblzo1 libncurses5 | libopencdk8 libreadline5 libsasl2 libstdc++6 libtasn1-3 libusb-0.1-4 makedev readline-common tzdata | Suggested packages: | aptitude synaptic gnome-apt wajig apt-doc bzip2 gnupg-doc xloadimage locales glibc-doc manpages-dev rng-tools gnutls-bin hotplug | Recommended packages: | libgpmg1 libsasl2-modules libtasn1-3-bin | The following NEW packages will be installed: | debian-archive-keyring gcc-4.1-base gnupg gpgv libbz2-1.0 libgcrypt11 libgnutls13 libgpg-error0 libldap2 liblzo1 libopencdk8 libreadline5 libsasl2 | libstdc++6 libtasn1-3 libusb-0.1-4 makedev readline-common tzdata | The following packages will be upgraded: | apt libc6 libc6-dev libgcc1 libncurses5 | 5 upgraded, 19 newly installed, 0 to remove and 60 not upgraded. | Need to get 0B/13.4MB of archives. | After unpacking 13.6MB of additional disk space will be used. | Do you want to continue? [Y/n] | Selecting previously deselected package tzdata. | (Reading database ... 7755 files and directories currently installed.) [...] | | Setting up gnupg (1.4.5-2) ... | Setting up debian-archive-keyring (2006.11.22) ... | | (Reading database ... 8093 files and directories currently installed.) | Preparing to replace apt 0.5.28.6 (using .../archives/apt_0.6.46.2_i386.deb) ... | Unpacking replacement apt ... | Setting up apt (0.6.46.2) ... | | Setting up libc6-dev (2.3.6.ds1-8) ... | [EMAIL PROTECTED]:/# apt-key list | gpg: /etc/apt/trustdb.gpg: trustdb created | /etc/apt/trusted.gpg | -------------------- | pub 1024D/4F368D5D 2005-01-31 [expired: 2006-01-31] | uid Debian Archive Automatic Signing Key (2005) <[EMAIL PROTECTED]> | | pub 1024D/2D230C5F 2006-01-03 [expires: 2007-02-07] | uid Debian Archive Automatic Signing Key (2006) <[EMAIL PROTECTED]> | | [EMAIL PROTECTED]:/# I think this issue warants release critical status, if the RMs think otherwise please downgrade it. -- Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
