[SRU] Upload latest archlinux-keyring from oracular to noble-proposed

Bug #2076416 reported by Luca Boccassi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
archlinux-keyring (Ubuntu)
Status tracked in Oracular
Noble
Confirmed
Undecided
Unassigned
Oracular
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

archlinux-keyring is a package in Oracular and Noble that provides an archive of signing keys for Archlinux.

As stated by the reporter, this package allows users to bootstrap and build Arch, useful for CI and image building purposes.

The package should be updated in noble-proposed to provide the latest keys to LTS users. Unlike Ubuntu, Debian or Fedora, on Archlinux there is no single archive key that users can use to verify packages and repositories, the key of the individual uploader is needed to verify each package that they upload, so updates are necessary when new packages/maintainers are added. A simple rebuild with a new changelog entry is sufficient.

[Test Plan]

To test, the package should be installed on noble, and gpg keys should be checked. This can be done with the following commands:

$ sudo apt update
$ sudo apt upgrade
$ sudo apt install archlinux-keyring mkosi
$ mkosi -d arch build
‣ Syncing package manager metadata for default image
:: Synchronizing package databases...
 core is up to date
 extra is up to date
‣ Building default image
‣ Installing Arch
<...>

[Where problems could occur]

The package is already in noble, but it has not yet been shipped in that version. Therefore if problems were to occur, it would most likely be in interactions with other packages. This could show up as conflicts in the /usr/share/keyrings directory, or failures when using the contained keys.

Luca Boccassi (bluca)
description: updated
Changed in archlinux-keyring (Ubuntu Oracular):
status: New → Fix Released
Changed in archlinux-keyring (Ubuntu Noble):
status: New → Confirmed
Luca Boccassi (bluca)
description: updated
Revision history for this message
Robie Basak (racb) wrote :

bluca asked me to help with sponsoring this.

> Unlike Ubuntu, Debian or Fedora, on Archlinux there is no single archive key that users can use to verify packages and repositories, the key of the individual uploader is needed to verify each package that they upload, so updates are necessary when new packages/maintainers are added.

This doesn't seem like it's practical to maintain via SRUs then?

As I mentioned in bug 2075505, I'm not sure that maintaining and updating packages in Ubuntu archive is the correct architecture here.

I'm declining to sponsor this without consensus amongst Ubuntu developers that constant SRUs of these packages is the right architecture to use.

Revision history for this message
Luca Boccassi (bluca) wrote :

> This doesn't seem like it's practical to maintain via SRUs then?
> As I mentioned in bug 2075505, I'm not sure that maintaining and updating packages in Ubuntu archive is the correct architecture here.

I don't think there would be any issue with maintaining these. A couple of updates a year would be enough, and they are very mechanical - it's just a list of keys, there's no running code, and the packaging structure doesn't need to change, and it's trivial to test it.

It used to be the case that there was compiled rust code that needed to run at runtime and whatnot, and yeah that would have been impractical, but we managed to remove all of that, so it's now purely inert data being shipped.

Revision history for this message
Luca Boccassi (bluca) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.