[SRU] Upload latest archlinux-keyring from oracular to noble-proposed
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
archlinux-keyring (Ubuntu) | Status tracked in Oracular | |||||
Noble |
Confirmed
|
Undecided
|
Unassigned | |||
Oracular |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
archlinux-keyring is a package in Oracular and Noble that provides an archive of signing keys for Archlinux.
As stated by the reporter, this package allows users to bootstrap and build Arch, useful for CI and image building purposes.
The package should be updated in noble-proposed to provide the latest keys to LTS users. Unlike Ubuntu, Debian or Fedora, on Archlinux there is no single archive key that users can use to verify packages and repositories, the key of the individual uploader is needed to verify each package that they upload, so updates are necessary when new packages/
[Test Plan]
To test, the package should be installed on noble, and gpg keys should be checked. This can be done with the following commands:
$ sudo apt update
$ sudo apt upgrade
$ sudo apt install archlinux-keyring mkosi
$ mkosi -d arch build
‣ Syncing package manager metadata for default image
:: Synchronizing package databases...
core is up to date
extra is up to date
‣ Building default image
‣ Installing Arch
<...>
[Where problems could occur]
The package is already in noble, but it has not yet been shipped in that version. Therefore if problems were to occur, it would most likely be in interactions with other packages. This could show up as conflicts in the /usr/share/keyrings directory, or failures when using the contained keys.
description: | updated |
Changed in archlinux-keyring (Ubuntu Oracular): | |
status: | New → Fix Released |
Changed in archlinux-keyring (Ubuntu Noble): | |
status: | New → Confirmed |
description: | updated |
bluca asked me to help with sponsoring this.
> Unlike Ubuntu, Debian or Fedora, on Archlinux there is no single archive key that users can use to verify packages and repositories, the key of the individual uploader is needed to verify each package that they upload, so updates are necessary when new packages/ maintainers are added.
This doesn't seem like it's practical to maintain via SRUs then?
As I mentioned in bug 2075505, I'm not sure that maintaining and updating packages in Ubuntu archive is the correct architecture here.
I'm declining to sponsor this without consensus amongst Ubuntu developers that constant SRUs of these packages is the right architecture to use.