Issues with Bullseye
Hans
Dear list,
since the release of bullseye I got into two issues.
1. the pgp-key of the repo are no more valid.
Is there a new one? How to get?
2. deb http://security.debian.org/ stable/updates main contrib non-free
is not reachable.
Is it down? How can it be fixed?
Another thing besides this: I am wondering, why the debian documentation differs between http and https at the entries for the security and the normal
packages. I would have been expected, that all entries are using https, and no more http. Any special reoson for it or is it just a forgotten change?
Best regards
Hans
Eike Lantzsch ZP6CGE
Hi Hans!
Hope you are well
1) you need to copy the keys into /etc/apt/trusted.gpg.d
there is no apt-keyring package anymore
see here:
5.3.2. Deprecated components for bullseye
With the next release of Debian 12 (codenamed bookworm) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 12.
This includes the following features:
- The historical justifications for the filesystem layout with /bin, /sbin, and /lib directories separate from their equivalents under /usr no longer apply today; see the Freedesktop.org summary. Debian bullseye will be the last Debian release that supports the non-merged-usr layout; for systems with a legacy layout that have been upgraded without a reinstall, the usrmerge package exists to do the conversion if desired.
- bullseye is the final Debian release to ship apt-key. Keys should be managed by dropping files into /etc/apt/trusted.gpg.d instead, in binary format as created by gpg --export with a .gpg extension, or ASCII armored with a .asc extension.
A replacement for apt-key list to manually investigate the keyring is planned, but work has not started yet.
2) see here:
Date:14.08.21 07:27
Mom,
When you upgrade to bullseye, you need to change your security source from
deb http://security.debian.org/ buster/updates main
to
deb http://security.debian.org/debian-security bullseye-security main
However, that will silently fail to work if you forget to update the file in /etc/apt/preferences.d to add something like this stanza:
Explanation: Debian security
Package: *
Pin: release o=Debian,n=bullseye-security
Pin-Priority: 990
Posted on 2021-08-14
Tags: quanks
and here:
5.1.3. Changed security archive layout
For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.
The security line in your APT configuration may look like:
deb https://deb.debian.org/debian-security bullseye-security main contrib
If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:
APT::Default-Release "/^bullseye(|-security|-updates)$/";
which takes advantage of the undocumented feature of APT that it supports regular expressions (inside /).
Cheers
Eike ZP6CGE
Teemu Likonen
> 2. deb http://security.debian.org/ stable/updates main contrib non-free
> is not reachable.
https://www.debian.org/releases/bullseye/amd64/release-notes/
Section 4.2.7 says:
4.2.7. The security section
For APT source lines referencing the security archive, the format has
changed slightly along with the release name, going from buster/updates
to bullseye-security; see Section 5.1.3, “Changed security archive
layout”.
The referred section says:
5.1.3. Changed security archive layout
For bullseye, the security suite is now named bullseye-security
instead of codename/updates and users should adapt their APT
source-list files accordingly when upgrading.
The security line in your APT configuration may look like:
deb https://deb.debian.org/debian-security bullseye-security main contrib
--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450
Hans
Hi Eike,
it is not that easy and sadly this does not work. I copied the Release.gpg to /etc/apt/trusted.gpg.d/ and renamed it to "debian-archive-bullseye-stable.gpg".
I also get lots of errors, since bullseye chaged something. Please see:
-------------------- snip -----------------------------
LANG=C aptitude update
Hit http://deb.debian.org/debian-security bullseye-security InRelease
Hit http://download.opensuse.org/repositories/home:/cabelo/Debian_10 InRelease
Hit http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid InRelease
Hit https://deb.opera.com/opera-stable stable InRelease
Err https://ftp.de.debian.org/debian stable InRelease
Certificate verification failed: The certificate is NOT trusted. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 141.76.2.4 443]
Hit https://updates.signal.org/desktop/apt xenial InRelease
Hit https://download.opensuse.org/repositories/home:/tabos-team/Debian_10 InRelease
Hit https://www.kismetwireless.net/repos/apt/release/buster buster InRelease
W: http://deb.debian.org/debian-security/dists/bullseye-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file has an unsupported filetype.
W: http://download.opensuse.org/repositories/home:/cabelo/Debian_10/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file has an unsupported filety
pe.
W: http://downloads.metasploit.com/data/releases/metasploit-framework/apt/dists/lucid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file has an
unsupported filetype.
W: https://deb.opera.com/opera-stable/dists/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file has an unsupported filetype.
W: https://updates.signal.org/desktop/apt/dists/xenial/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file has an unsupported filetype.
W: https://download.opensuse.org/repositories/home:/tabos-team/Debian_10/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file has an unsupported filetype.
W: https://www.kismetwireless.net/repos/apt/release/buster/dists/buster/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file has an unsupported filetype.
W: Failed to fetch https://ftp.de.debian.org/debian/dists/stable/InRelease: Certificate verification failed: The certificate is NOT trusted. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 141.76.2.4 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.
--------------- snap --------------------
It looks like the other prior working keys now also do no more match.
Is there a solution for it? Tried also gpg --export, but did not work, too.
Best regards
Hans (DL4OCJ)
> Hi Hans!
> Hope you are well
>
>
> 1) you need to copy the keys into /etc/apt/trusted.gpg.d
> there is no apt-keyring package anymore
>
> see here:
>
> *5.3.2. Deprecated components for bullseye*
> With the next release of Debian 12 (codenamed bookworm) some features will
> be deprecated. Users will need to migrate to other alternatives to prevent
> trouble when updating to Debian 12.
> This includes the following features:
> * The historical justifications for the filesystem layout with */bin*,
> */sbin*, and */ lib* directories separate from their equivalents under
> */usr* no longer apply today; see the Freedesktop.org summary[1]. Debian
> bullseye will be the last Debian release that supports the non-merged-usr
> layout; for systems with a legacy layout that have been upgraded without a
> reinstall, the *usrmerge* package exists to do the conversion if desired.
> * bullseye is the final Debian release to ship *apt-key*. Keys should
> be managed by dropping files into */etc/apt/trusted.gpg.d* instead, in
> binary format as created by *gpg -- export* with a *.gpg* extension, or
> ASCII armored with a *.asc* extension. A replacement for *apt-key list* to
Brian
[...]
> Another thing besides this: I am wondering, why the debian documentation differs
> between http and https at the entries for the security and the normal
> packages. I would have been expected, that all entries are using https, and no more
> http. Any special reoson for it or is it just a forgotten change?
https://unix.stackexchange.com/questions/90227/why-is-there-no-https-transport-for-debian-apt-tool
address your query?
An excerpt from the page:
Debian doesn't make HTTPS downloads easy because there is very little
benefit. Debian package distribution already includes a mechanism to
verify packages: all packages are signed with Gpg.
--
Brian.
Hans
I just wondered, why the docu once is telling "use https" and once "http". If
only using https or either http, this would not create confuseness.
Looks like I am too critical. am I not? :)
Best regards
Hans
> Does
>
> https://unix.stackexchange.com/questions/90227/why-is-there-no-https-transp
> ort-for-debian-apt-tool
>
> address your query?
Brian
> Yeah, not quite. I was already aware, that https won't improve security much.
>
> I just wondered, why the docu once is telling "use https" and once "http". If
> only using https or either http, this would not create confuseness.
>
> Looks like I am too critical. am I not? :)
technical matters :).
A link to the page you were looking at might help.
--
Brian.
Polyna-Maude Racicot-Summerside
On 2021-08-15 10:51 a.m., Hans wrote:
> Am Sonntag, 15. August 2021, 16:36:05 CEST schrieb Brian:
> Yes, you are very right!
>> There isn't any such thing as being "too critical" when it comes to
>> technical matters :).
>>
>> A link to the page you were looking at might help.
>
>
> I have still the problem, that the debian/bullsye repo can not be
> authenticated. Copying the Release.gpg from the repo to
> /etc/apt/trusted.gpg.d/ did not help.
Have you tried adding *[trusted=yes]* inside the sources.list file that
contain reference to this repository.
>
> Apt/Aptitude/apt-get is still telling me, it is the wrong format. I tried, to
> use gpg --export, but that did not work.
>
> Looked into the existing gpg files, they look not as Release.gpg. So I used --
> dearmor, with no success.
>
> It would really help, if there could be an upgraded debian-archive-keyring
> package or a little documentation, how to add/import the keys into
> trusted.gpg.d/ since apt-key does not work any more.
>
> Simply copying does not work(!) and the documentation really lacks some
> information, which would help.
>
> Or is it a bug? Should I file a bugreport?
>
> Thanks for any hints.
>
> Best regards
>
> Hans
>
>
>
--
Polyna-Maude R.-Summerside
-Be smart, Be wise, Support opensource development
Hans
Yes, you are very right!
>
> technical matters :).
>
> A link to the page you were looking at might help.
I have still the problem, that the debian/bullsye repo can not be
authenticated. Copying the Release.gpg from the repo to
/etc/apt/trusted.gpg.d/ did not help.
David Wright
A browser has no problem reaching the site with/without the http"s",
but I don't know about APT. However, the OP had the (usual) syntax
error, so that may be the cause of their specific problem.
Cheers,
David.
Frank
> Yes, you are very right!
>>
>> There isn't any such thing as being "too critical" when it comes to
>> technical matters :).
>>
>> A link to the page you were looking at might help.
>
> To everyone:
>
> I have still the problem, that the debian/bullsye repo can not be
> authenticated. Copying the Release.gpg from the repo to
> /etc/apt/trusted.gpg.d/ did not help.
> It would really help, if there could be an upgraded debian-archive-keyring
> package or a little documentation, how to add/import the keys into
> trusted.gpg.d/ since apt-key does not work any more.
>
> Simply copying does not work(!) and the documentation really lacks some
> information, which would help.
armored, make sure the extension is .asc. Otherwise it should be .gpg.
But downloading an up-to-date version (2021.1.1) of
debian-archive-keyring and installing that (using dpkg -i if necessary -
see below for a direct url) should suffice.
Regards,
Frank
http://deb.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2021.1.1_all.deb
Hans
discovered something. It looks like the keys are still not synced to the
mirrors.
I changed from ftp.de.debian.org to deb.debian.org, and all is working like a
charm.
So, I suppose, this issue might be solved.
But it would be nice to add a package with the actual keys into the repo. The
keys in the package "debian-archive-keyring" are too old (2012.1.1).
Thanks for all the help and have so much fun with debian! Its awesome!
Best regards
Hans
Frank
>
> discovered something. It looks like the keys are still not synced to the
> mirrors.
>
> I changed from ftp.de.debian.org to deb.debian.org, and all is working like a
> charm.
>
> So, I suppose, this issue might be solved.
>
> But it would be nice to add a package with the actual keys into the repo. The
> keys in the package "debian-archive-keyring" are too old (2012.1.1).
Brian
I looked to see what the bullseye installer does when configuring
the package manager.
The protocol choice is still between http, https and ftp. I chose
http as I always have done. The lines put in /etc/apt/sources.list
both begin with http://.
Back to the menu and select https. No choice of country mirroe is
allowed. The only offering is deb.debian.org. I assume that is
because it is the only mirror that can be assumed to support https.
The security mirror is still http://... . The other is https://... .
My conclusion is that the line in § 5.1.3 in the Release Notes is
either an overenthusiastic entry or a typo. Either way the advice
there should really be consistent with what the installer does,
even if it does not lead to any problems.
--
Brian.
Brian
[...]
> My conclusion is that the line in § 5.1.3 in the Release Notes is
> either an overenthusiastic entry or a typo. Either way the advice
> there should really be consistent with what the installer does,
> even if it does not lead to any problems.
https://lists.debian.org/debian-devel/2021/08/msg00166.html
The URL http://deb.debian.org/debian-security points to the Fastly CDN,
which supports htps. hppts:// in place of http:// therefore shouldn't
lead to any problems.
Regarding cosustency: the prevailing opinion at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758316
is that
It does not make sense to use https. All data is authenticated
using GPG signatures. https only offers some encryption on top
of that,...
The installer falls in with that view; the Release Notes doesn't.
--
Brian.
Brian
> Am Sonntag, 15. August 2021, 16:36:05 CEST schrieb Brian:
> Yes, you are very right!
> >
> > There isn't any such thing as being "too critical" when it comes to
> > technical matters :).
short remark leads to :).
[1] https://lists.debian.org/debian-devel/2021/08/msg00269.html
--
Brian.