From d3213963281a4f910b78679dad35bf59ddbd721c Mon Sep 17 00:00:00 2001
From: Michael Vogt <mvo@debian.org>
Date: Tue, 23 Jul 2013 20:09:05 +0200
Subject: debian/apt.postinst:

* debian/apt.postinst:
  - run /etc/kernel/postinst.d/apt-auto-removal once on upgrade
    to ensure that the correct auto-removal list is generated
    (closes: #717615)
---
 debian/apt.postinst | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'debian/apt.postinst')

diff --git a/debian/apt.postinst b/debian/apt.postinst
index bd814e1af..9ff1e031c 100644
--- a/debian/apt.postinst
+++ b/debian/apt.postinst
@@ -28,6 +28,10 @@ case "$1" in
             chmod -f 0640 /var/log/apt/term.log* || true
         fi
 
+        # create kernel autoremoval blacklist on update
+        if dpkg --compare-versions "$2" lt-nl 0.9.9.3; then
+            /etc/kernel/postinst.d/apt-auto-removal
+        fi
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
-- 
cgit v1.2.3


From f9e64e7bb0c125b54f0699d9e08956a88b467a7f Mon Sep 17 00:00:00 2001
From: David Kalnischkies <kalnischkies@gmail.com>
Date: Mon, 12 Aug 2013 00:19:10 +0200
Subject: use a tmpfile for trustdb.gpg in apt-key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

for some "interesting" reason gpg decides that it needs to update its
trustdb.gpg file in a --list-keys command even if right before gpg is
asked to --check-trustdb. That wouldn't be as bad if it wouldn't modify
the keyring being listed at that moment as well, which generates not
only warnings which are not a problem for us, but as the keyring
modified can be in /usr it modified files which aren't allowed to be
modified.

The suggested solution in the bugreport is running --check-trustdb
unconditionally in an 'apt-key update' call, but this command will not
be used in the future and this could still potentially bite us in
net-update or adv calls. All of this just to keep a file around, which
we do not need…

The commit therefore switches to the use of a temporary created
trusted.gpg file for everyone and asks gpg to not try to update the
trustdb after its intial creation, which seems to avoid the problem
altogether.

It is using your also faked secring btw as calling the check-trustdb
without a keyring is a lot slower …

Closes: #687611
Thanks: Andreas Beckmann for the initial patch!
---
 debian/apt.postinst | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'debian/apt.postinst')

diff --git a/debian/apt.postinst b/debian/apt.postinst
index 9ff1e031c..caa05ccdf 100644
--- a/debian/apt.postinst
+++ b/debian/apt.postinst
@@ -15,10 +15,15 @@ set -e
 
 case "$1" in
     configure)
-	SECRING='/etc/apt/secring.gpg'
-	# test if secring is an empty normal file
-	if test -f $SECRING -a ! -s $SECRING; then
-		rm -f $SECRING
+	if dpkg --compare-versions "$2" lt-nl 0.9.9.5; then
+	    # we are using tmpfiles for both
+	    rm -f /etc/apt/trustdb.gpg
+	    # this removal was done unconditional since 0.8.15.3
+	    SECRING='/etc/apt/secring.gpg'
+	    # test if secring is an empty normal file
+	    if test -f $SECRING -a ! -s $SECRING; then
+	        rm -f $SECRING
+	    fi
 	fi
 	apt-key update
 
-- 
cgit v1.2.3


From ec9272975f454d3911e61e5cc3b29fe90fe2ee54 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <kalnischkies@gmail.com>
Date: Mon, 12 Aug 2013 17:26:54 +0200
Subject: do not call 'apt-key update' in apt.postinst

The debian-archive-keyring package ships trusted.gpg.d fragment files
for a while now and dropped their call to 'apt-key update', so there is
no need for use to call it as the keys will always be available.

This also finally allows a user to remove key(ring)s without APT to
overriding this decision by readding them with this step.

The functionality is kept around in the odd case that an old
debian-archive-keyring package is used which still calls 'apt-key
update' and depends on the import (hence, we also do not enforce a newer
version of the debian-archive-keyring via our dependencies)
---
 debian/apt.postinst | 1 -
 1 file changed, 1 deletion(-)

(limited to 'debian/apt.postinst')

diff --git a/debian/apt.postinst b/debian/apt.postinst
index caa05ccdf..70de237d0 100644
--- a/debian/apt.postinst
+++ b/debian/apt.postinst
@@ -25,7 +25,6 @@ case "$1" in
 	        rm -f $SECRING
 	    fi
 	fi
-	apt-key update
 
         # ensure tighter permissons on the logs, see LP: #975199
         if dpkg --compare-versions "$2" lt-nl 0.9.7.7; then
-- 
cgit v1.2.3


From 5361a6180571f5921b6c006129b5f0c274b6154b Mon Sep 17 00:00:00 2001
From: Michael Vogt <mvo@debian.org>
Date: Tue, 8 Oct 2013 19:46:39 +0200
Subject: debian/apt.postinst: use --compare-versions lt instead of lt-nl, to
 ensure the apt-auto-removal file is correctly create, thanks to Ben Hutchings

---
 debian/apt.postinst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'debian/apt.postinst')

diff --git a/debian/apt.postinst b/debian/apt.postinst
index 70de237d0..fd3e273bb 100644
--- a/debian/apt.postinst
+++ b/debian/apt.postinst
@@ -33,7 +33,7 @@ case "$1" in
         fi
 
         # create kernel autoremoval blacklist on update
-        if dpkg --compare-versions "$2" lt-nl 0.9.9.3; then
+        if dpkg --compare-versions "$2" lt 0.9.9.3; then
             /etc/kernel/postinst.d/apt-auto-removal
         fi
     ;;
-- 
cgit v1.2.3