hdhalter
commented
3 months ago Thanks, @dhs-rec! Would you like to raise the PR for the update? @peterzhuamazon for visibility.
Open dhs-rec opened 3 months ago
hdhalter
commented
3 months ago Thanks, @dhs-rec! Would you like to raise the PR for the update? @peterzhuamazon for visibility.
dhs-rec
commented
3 months ago Thanks, @dhs-rec! Would you like to raise the PR for the update?
That depends on what the preferred fix is. If it's just the documentation update, then yes, I can do that. However, from a user's perspective, having a package to manage the keyring file after the initial setup would be way more comfortable.
hdhalter
commented
3 months ago @peterzhuamazon - What do you suggest?
peterzhuamazon
commented
3 months ago Hi @dhs-rec ,
In the same doc it says: https://wiki.debian.org/DebianRepository/UseThirdParty
In releases older than Debian 12 and Ubuntu 22.04, /etc/apt/keyrings does not exist by default. It SHOULD be created with permissions 0755 if it is needed and does not already exist. Ultimately it is a path for locating a key file.
I look at how Temurin handle this and it uses: /etc/apt/trusted.gpg.d/ which is also not recommended.
https://adoptium.net/installation/linux/
The certificate MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. Sury.org was one of the suggestions I received in this issue and they also use /usr/share/keyrings.
https://github.com/opensearch-project/opensearch-build/issues/3371#issuecomment-1497830461
I think if needed we can definitely add a step for mkdir for /etc/apt/keyrings and switch to there but to me it feels like users can change that at any given time. Is there any more documentations or example you can referring for me to take a look?
Thanks.
dhs-rec
commented
2 months ago The PostgreSQL folks do it right: https://wiki.postgresql.org/wiki/Apt. They also provide a package for managing the keyring file.
peterzhuamazon
commented
2 months ago I think we could change the location of the key to /usr/share/opensearch-commons if needed. Or just add a mkdir for /etc/apt/keyrings.
Tho again, maybe I missed it, what is the harm for adding a key to /usr/share/keyrings?
Trying to check if there is a hard requirement for us to make that switch. Thanks.
dhs-rec
commented
2 months ago I think we could change the location of the key to
/usr/share/opensearch-commonsif needed. Or just add amkdirfor/etc/apt/keyrings.Tho again, maybe I missed it, what is the harm for adding a key to
/usr/share/keyrings?
@peterzhuamazon, there is no harm, things will work regardless of where the key is stored. But if the key is added to /usr/share/keyrings, users expect (by reading the linked Debian wiki page), that there is a package provided which manages that key going forward. And that is not the case here.
Trying to check if there is a hard requirement for us to make that switch. Thanks.
Only if you want to follow Debian's standards for 3rd-party repositories...
What do you want to do?
Tell us about your request.
The Debian installation instructions tell users to install the repository keyring into
/usr/share/keyrings, but according to Debian instructions for 3rd-party repositories, this directory should only be used if there is also a package provided that manages the keyring at this location going forward. If that is NOT the case, the keyring should be stored in/etc/apt/keyringsinstead. Please either fix the documentation or provide a package for managing the keyring.What other resources are available?
See https://wiki.debian.org/DebianRepository/UseThirdParty
Relevant paragraph: