summaryrefslogtreecommitdiff
path: root/cmdline
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2016-05-01 14:43:23 +0200
committerDavid Kalnischkies <david@kalnischkies.de>2016-05-01 15:50:04 +0200
commit5f17b19f8f99eb6f80a10846d5891f53c16178dc (patch)
tree2f4e25ca49f00bea59ce43393d52909e9d8a7925 /cmdline
parent87d468fe355c87325c943c40043a0bb236b2407f (diff)
warn if apt-key is run unconditionally in maintainerscript
We want to stop hard-depending on gnupg and for this it is essential that apt-key isn't used in any critical execution path, which maintainerscript are. Especially as it is likely that these script call apt-key either only for (potentially now outdated cleanup) or still not use the much simpler trusted.gpg.d infrastructure.
Diffstat (limited to 'cmdline')
-rw-r--r--cmdline/apt-key.in15
1 files changed, 14 insertions, 1 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 3ed2a70ce..3f9f01627 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -493,8 +493,21 @@ create_gpg_home() {
}
prepare_gpg_home() {
+ # crude detection if we are called from a maintainerscript where the
+ # package depends on gnupg or not. We accept recommends here as
+ # well as the script hopefully uses apt-key optionally then like e.g.
+ # debian-archive-keyring for (upgrade) cleanup did
+ if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ]; then
+ if ! dpkg-query --show --showformat '${Pre-Depends}${Depends}${Recommends}' "$DPKG_MAINTSCRIPT_PACKAGE" 2>/dev/null | grep -q gnupg; then
+ cat >&2 <<EOF
+Warning: The $DPKG_MAINTSCRIPT_NAME maintainerscript of the package $DPKG_MAINTSCRIPT_PACKAGE
+Warning: seems to use apt-key (provided by apt) without depending on gnupg or gnupg2.
+Warning: This will BREAK in the future and should be fixed by the package maintainer(s).
+Note: Check first if apt-key functionality is needed at all - it probably isn't!
+EOF
+ fi
+ fi
eval "$(apt-config shell GPG_EXE Apt::Key::gpgcommand)"
-
if [ -n "$GPG_EXE" ] && command_available "$GPG_EXE"; then
true
elif command_available 'gpg'; then