You are not logged in.
@Ogis1975: So what's your purpose with that kind of post?
Please excuse my poor English. First of all, I wanted to ask why the persons responsible for maintaining the repository keys did not update them in time? Second of all, I wanted to ask about these people, i.e. Devuan developers approach to security. Is it normal that the people responsible for storing these keys have not updated them in time? Is it normal that these keys have to be manually downloaded and installed in a potentially dangerous way?
P.S.
I just want to reiterate that personally I have been using Debian for over ten years. I have NEVER had such or similar problems. Maybe Devuan developers should review their approach to security and not be so irresponsible? Personally, I'm about to migrate back to Debian land, since the Debian developers take security much more seriously.....
P.P.S
I don't want to offend anyone. This is just my opinion...
Last edited by Ogis1975 (2022-09-07 13:29:53)
What economists call over-production is but a production that is above the purchasing power of the worker, who is reduced to poverty by capital and state.
----+- Peter Kropotkin -+----
Offline
Ogis1975's is a reasonable question to ask.
If you get offended by the question then
That is the response of a child, not of a grown adult
No-one can ever then expect that you will take this matter seriously & responsibly
The future then will be filled with an infinite repetition of these (and other) issues, with zero fix in sight
Now yes, of course, you also get idiotic responses from entitled fools that have zero respect for the continual efforts of unpaid volunteers on their behalf. Those people do not deserve any respect, but that does not mean that Ogis1975's question is not a reasonable one to ask.
Many thanks to Ralph for his continual efforts on Devuan's behalf. It is a new venture & I fully expect bumps along the road. As long as things continually improve I have few complaints & immense gratitude for the simple fact that it is available to the world & to me.
Offline
Also, for those of us using apt-cacher-ng:
find /var/cache/apt-cacher-ng -name \*InRelease\* -delete
This may delete a little more than necessary, but it does the job.
Offline
Ogis1975's is a reasonable question to ask.
I disagree: it's a totally useless question.
Obviously there has been some kind of process failure when everyone in the whole community, including you and Ogis1975 as well as myself, failed to notice that the repository key was about to expire.
You don't have to ask about that. Rather you should ask yourself: "how can I help in the future?" and then act towards that.
Online
a calendar thingy for anyone/@ll in devuan core team with access to the key, should be easy to do. (to save same trouble next year.)
ralph, users do not have access to gpg keys, nor do they sign packages with that key "everyday", nor do they run `apt-key list` everyday....
i think it's mostly up to the core team to just put some reminders on key/security processes.
yes, users can help, but you should not rely on others noticing in the first place for core/critical(imho), things.
2c.
Offline
@Ogis1975:
When Devuan has as many maintainers as Debian has, I would likely expect the same, but until then......
(These things happen.....some other software maintainers have been known to forget to renew keys too.)
EDIT: So glad this problem was sorted out so quickly, many thanks.
Last edited by Camtaf (2022-09-08 08:55:22)
Offline
Hi, joined the forum just now and wanted to ask if maybe the keys should not have an expiry date or is this a security issue if they have no expiry?
Many thanks for the quick fix though.
Edit to add, i found this interesting stackechange post about this, albeit a bit old.
https://security.stackexchange.com/questions/14718/does-openpgp-key-expiration-add-to-security/79386#79386
Last edited by Evenson (2022-09-08 12:07:01)
"A stop job is running..." - SystemD
Offline
alexkemp wrote:Ogis1975's is a reasonable question to ask.
I disagree: it's a totally useless question.
Yes, of course. You won't get far with that attitude. By the way, even distrowatch mentioned this key issue. Great promotion for this distro.
P.S.
I have already migrated my machines to Debian land.
What economists call over-production is but a production that is above the purchasing power of the worker, who is reduced to poverty by capital and state.
----+- Peter Kropotkin -+----
Offline
This is something that I take for granted...as I'm sure many others do.
If someone will tell me to tell me how to keep up with the renewal date(s), I will gladly accept that responsibility in order to help the project.
I may be the creator of a Devuan respin, but I'm not ashamed to admit my lack of knowledge in certain areas. I'm always happy to learn something new.
Lay it on me baby!
Contact me here or by email.
I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.
Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned.
Offline
This is something that I take for granted...as I'm sure many others do.
If someone will tell me to tell me how to keep up with the renewal date(s), I will gladly accept that responsibility in order to help the project.
I may be the creator of a Devuan respin, but I'm not ashamed to admit my lack of knowledge in certain areas. I'm always happy to learn something new.
Lay it on me baby!
Contact me here or by email.
Oh Miyo . . . you are one in a million!! Someone who understands the dynamics of what sustains "free software" and actually steps up to DO something!!! You will be contacted shortly. Promise . . .
Offline
What Camtaf said. It's a small project that's run by a few volunteers, so I don't understand the need to escalate things, when there are some workarounds for this. Manually installing the updated DEB file worked for me.
Be like our friend MiyoLinux and offer to help out.
Offline
At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.
Everyone here who doesn't devalue themselves with the label "just a Devuan user" should grab at least one of them and run it through a number of variations, and then report on it, maybe as an email to me. Refer to usecases.html for the primary use case division. VM trials as well as bare-metal trials are good.
EDIT: my alternate email is rrq at rrq dot id dot au
Online
At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.
Everyone here who doesn't devalue themselves with the label "just a Devuan user" should grab at least one of them and run it through a number of variations, and then report on it, maybe as an email to me. Refer to usecases.html for the primary use case division. VM trials as well as bare-metal trials are good.
EDIT: my alternate email is rrq at rrq dot id dot au
Thanks for your work, Ralph
If you work systematically, things will come by itself (Lev D. Landau)
Offline
An update on this key problem: It seems to have been fixed. [ Sometime after 9/9 ]
Without changing anything or manually doing a key import, my apt-get update & upgrade procs now work as designed.
I wasn't really looking forward to a manual intervention on my dozen or so systems. Some of which are sometimes difficult to reach. :-(
So: Many thanks to whomever got the archive signed. I'm guessing here, but probably with an old but unexpired key... ??
But it works.
Thanx.
Offline
Sorry for being late to the party at So 11 Sep 2022 21:44:59 CEST,
date +%c, you know?
Last sunday noon, aka So 04 Sep 12:00, my usual workflow (as root) was disrupted by an EXPKEYSIG error: WTF? Network error caused by provider? No. – DNS problem? No. – What is going on? This looks like a serious problem to my local machine and has to be fixed NOW!
Wait, eight days later, I want to make a long story short. Since my 1st beginning with Linux kernels and GNU software on rpm based machines I know a true zen say:
Security is a matter of trust.
Once upon the time an "update" process "distrust his master voice" and therefor ignores my well choosen configuration. I've lost data and recovering from this accident takes some time. The change to debian packaging system, change of distribution, was one of the consequences. And the step from debian/jessie to devuan/jessie some years later wasn't that difficult to continue the way with GNU/Linux. Back to the failing apt update (as root;)
I'm not a C-programmer and I have only a vague understanding of so-called elliptic curves"internet security", but last week there was a urgent need for me to find some thing like a Devuan Cryptographic Key. But where? And HOW TO know that this is the right key?
Thanks to ralph.ronnquist I've found two answers. (There has always to be an alternative to init freedom;-) The 1st alternative is "allow-unauthenticated" and/or "allow-insecure-repositories". Does not sound trustworthy, really? The second way looks better to me:
As a "normal user" with UID>=1000 download the new key to a directory of your choice:
wget http://deb.devuan.org/devuan/pool/main/d/devuan-keyring/devuan-keyring_2022.09.04_all.deb
Note: Meanwhile https://www.devuan.org/os/keyring states
apt-get install devuan-keyring
but I tend to disagree: wget does one thing download one file, but apt installing one file may affect other packages.
Verify the checksum by your own, that's to say:
sha256sum ./devuan-keyring_2022.09.04_all.deb
has an output of
96c4a206e8dfdc21138ec619687ef9acf36e1524dd39190c040164f37cc3468d ./devuan-keyring_2022.09.04_all.deb
Make sure that's ok!
Now inject this proved file to your system:
# dpkg -i ./devuan-keyring_2022.09.04_all.deb
Note: sudo want's user's password, but I'll prefer a real root shell.
Then update the package information:
# apt update
Summary:
As far as I can trust myself;-) I have copied that proved deb-file to an USB stick. Using this file with dpkg -i just before any apt update works on every devuan/jessie 'til chimaera I can reach! AND it keeps my last DVD alive: Around easter 2022 I have burned that raw DVD with chimaera to check discless hardware without internet connection. Updating the keyring is just a small step just before getting another host up and running.
last but not least:
apt-cache policy devuan-keyring
devuan-keyring:
Installiert: 2022.09.04
Installationskandidat: 2022.09.04
Versionstabelle:
*** 2022.09.04 500
500 http://deb.devuan.org/merged chimaera/main amd64 Packages
100 /var/lib/dpkg/status
apt-key list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
man apt-key
apt-key(8) will last be available in Debian 11 and Ubuntu 22.04.
Thanks for all your work and a better new week.
guuml is an abbrevation for gü in ASCII (1967),
focused on devuan and skipping epic poems like beowulf.
Has Gü spent his last raw DVD to a chimäre? No.
Offline
@guuml.dev1 : You were probably composing your note and didn't see my previous post #39 at 16:32:49 ...
It looks like whomever is in charge of the archive keeps managed to get them resigned with a valid signature.
So suddenly, apt/apt-get updates just started working (magically) again with no need for a manual intervention.
Now: It Just Works. [tm]
[ On my systems which are running chimaera and beowulf. ]
Last edited by dave (2022-09-12 15:38:25)
Offline
At https://ido.rrq.id.au/download there is an initial collection of trial installer ISOs that need to be tested in a range of settings.
Hi Ralph,
there are no files at https://ido.rrq.id.au/download anymore, is the test period over?
Thanks for your time!
Offline
As the key issue was fixed without needing ISO remake, the trial remakes were removed.
Online
I see... Great, thanks!
Offline