[Aptitude-devel] Bug#706183: rationale

Dave U. Random anonymous at anonymitaet-im-inter.net
Tue May 6 20:49:39 UTC 2014 

> What difference the distinction make?  If the key is not present,
> valid, and the packages signed, they are untrusted.

It makes a difference in what further actions are taken.  An unsigned
package is unresolvable in most cases, so the admin must
take-it-or-leave-it, and that can often be decided on the fly (without
investigation), depending on circumstances.

> This general warning is sufficient to alert the local admin to a
> problem, which they can investigate.

That's the problem.  Aptitude has information that would be useful in
the investigation, but it's withholding the information.  This
increases the investigative effort.

The admin is the ultimate judge of what's untrusted, not the tool.
The tool should be feeding the admin information to judge from.

> The alternative is to group the untrusted packages by the one or
> multiple underlying causes, which may involve e.g. multiple
> different expired keys.  Now that is a long winded and complex
> dialog,

Comprehensive detail is just what the admin wants, if they specify
--verbose.

> with very little benefit as it is trivial to investigate the cause
> outside of aptitude.

You say that as an Aptitude developer.  Yet this is undocumented.
That is, "man aptitude" gives no information about how to query for a
packages signing information.  "aptitude show" omits key ids.
Ironically, "man apt-key" also gives no instruction to find a packages
signing information.

One can do a "gpg --list-keys" and "apt-key list" to see what keys are
on the keyring, but it's insufficient, nor would I trivialize that.
Very few people have a good understanding of public key cryptography,
let alone how to correlate a package with a key id (which remains
undocumented).  As someone with 20 years of PGP experience and 5 years
of debian experience, I can say this is not a "trivial" investigation.

If aptitude continues withholding details about why *it* distrusts a
package, it should at a minimum tell cite a document (since the
aptitude man page comes up empty).

More information about the Aptitude-devel mailing list