You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
To install any PHP package from the repository the package debsuryorg-archive-keyring must be installed as well because it is a hard dependency of php-common. This package does not only put the sury keys into /usr/share/keyrings but also installs a key into the implicit trust store /etc/apt/trusted.gpg.d. I understand this was done to trick old installations into using a new key without manual intervention (or approval for that matter...)
Describe the solution you'd like
I would like to remove the keyring package as I prefer to have a clean /etc/apt/trusted.gpg.d and am able to do key management myself. Since php-common does not actually need debsuryorg-archive-keyring to function its metadata should be updated to remove the fake dependency. A Recommends should be sufficient to prevent autoremove from removing the package even if it was automatically installed, but still allows manual removal.
Describe alternatives you've considered
Just dropping the dependency altogether might break old installations again because debsuryorg-archive-keyring is merely automatically installed and could be removed by autoremove at some point.
Likewise removing the /etc/apt/trusted.gpg.d file from the keyring package will break old installations that lack the [signed-by=/usr/share/keyrings/...] tag in their sources.list.
However this could be made to work by adding a postinst script to the keyring package that scans the apt sources for the sury repository and only if it lacks the signed-by tag copies one of the files from /usr/share/keyrings to /etc/apt/trusted.gpg.d. Probably too unreliable
A different solution would be to mark the debsury-archive-keyring package as manually installed in some postinst script and then drop the dependency altogether. New installations will already have this package manually installed as per the README.txt installation instructions.
A workaround for end users is to create a fake/empty package with equivs that provides debsury-archive-keyring solely to fulfill the dependency of php-common. Then the real debsury-archive-keyring package can be uninstalled. This is an ugly workaround since it will leave a package lacking a repository source in your system, which APT frontends consider an obsolete package.
Distribution (please complete the following information):
OS: Debian
Architecture: -
Repository: packages.sury.org
Package(s) (please complete the following information):
Frequently asked questions
Is your feature request related to a problem? Please describe.
To install any PHP package from the repository the package
debsuryorg-archive-keyringmust be installed as well because it is a hard dependency ofphp-common. This package does not only put the sury keys into/usr/share/keyringsbut also installs a key into the implicit trust store/etc/apt/trusted.gpg.d. I understand this was done to trick old installations into using a new key without manual intervention (or approval for that matter...)Describe the solution you'd like
I would like to remove the keyring package as I prefer to have a clean
/etc/apt/trusted.gpg.dand am able to do key management myself. Sincephp-commondoes not actually needdebsuryorg-archive-keyringto function its metadata should be updated to remove the fake dependency. ARecommendsshould be sufficient to preventautoremovefrom removing the package even if it was automatically installed, but still allows manual removal.Describe alternatives you've considered
Just dropping the dependency altogether might break old installations again because
debsuryorg-archive-keyringis merely automatically installed and could be removed byautoremoveat some point.Likewise removing the
/etc/apt/trusted.gpg.dfile from the keyring package will break old installations that lack the[signed-by=/usr/share/keyrings/...]tag in their sources.list.postinstscript to the keyring package that scans the apt sources for the sury repository and only if it lacks the signed-by tag copies one of the files from/usr/share/keyringsto/etc/apt/trusted.gpg.d. Probably too unreliableA different solution would be to mark the
debsury-archive-keyringpackage as manually installed in some postinst script and then drop the dependency altogether. New installations will already have this package manually installed as per the README.txt installation instructions.A workaround for end users is to create a fake/empty package with
equivsthat providesdebsury-archive-keyringsolely to fulfill the dependency ofphp-common. Then the realdebsury-archive-keyringpackage can be uninstalled. This is an ugly workaround since it will leave a package lacking a repository source in your system, which APT frontends consider an obsolete package.Distribution (please complete the following information):
Package(s) (please complete the following information):
Additional context
-
The text was updated successfully, but these errors were encountered: