| 13 Feb 2019 |
 Linda | That doesn't exist in Debian. Is the contents of /etc/upstream-release/lsb-release also sonya? | 20:47:46 |
 Maximus | the matrix.org repos just don't have that codename :) it's ok | 20:47:48 |
| Maximus | no, the content of that is the right release name (xenial from ubuntu) | 20:48:03 |
| Linda | I see. | 20:48:17 |
| Maximus | you did it right I think | 20:48:17 |
| Linda | Thank you. | 20:48:20 |
| Maximus | I wouldn't change how you do it | 20:48:25 |
| Linda | I'll just whitelist Debian and Ubuntu distributions. | 20:49:20 |
| Linda | Can you show me the output of lsb_release -is, please? | 20:50:11 |
 shirish | umm... I tried the same and it did remove couple of bad keys although it didn't list them when I was looking at /etc/apt/trusted.gpg | 20:50:28 |
| Maximus | $ lsb_release -is
LinuxMint
| 20:50:29 |
| Linda | Thanks. | 20:50:38 |
| Linda | shirish: The keys move to /usr/share/keyrings/matrix-archive-keyring.gpg. | 20:51:07 |
| shirish | @Linda https://paste.debian.net/1067671/ | 20:51:13 |
| shirish | ah ok. | 20:51:17 |
| shirish | @Linda: guess it would affect my future riot-web updates ? | 20:53:41 |
| Linda | Packages from Riot.im are untouched. | 20:53:55 |
| Linda | Riot.im and Matrix.org also use different signing keys. | 20:54:04 |
| Linda | So no, don't think so. | 20:54:12 |
| Linda | I'll probably add a debconf(1) notice (like the APT sources question) explaining the keys have changed locations. | 20:58:33 |
| shirish | btw why do we use http://matrix.org/packages/debian/ buster main instead of using https://matrix.org | 21:00:04 |
| shirish | umm...whenever I run dpkg-reconfigure matrix it gives the following - | 21:12:24 |
| shirish | $ sudo dpkg-reconfigure matrix-archive-keyring
[sudo] password for shirish:
Removed bad key C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61 from /etc/apt/trusted.gpg
DEBUG: deb [signed-by=/usr/share/keyrings/matrix-archive-keyring.gpg] http://matrix.org/packages/debian/ buster main
| 21:12:25 |
| shirish | shouldn't it first see/compare the old key and then do any changes if need be. | 21:12:46 |
| Linda |
shirish: btw why do we use http://matrix.org/packages/debian/ buster main instead of using https://matrix.org
https://whydoesaptnotusehttps.com/ | 21:16:00 |
| Linda | It would also require an extra package apt-transport-https on Debian jessie (oldstable), but fair because jessie isn't supported by Matrix.org at this time. | 21:16:51 |
| Linda |
shirish: shouldn't it first see/compare the old key and then do any changes if need be.
Can you elaborate, please? C35EB17E1EAE708E6603A9B3AD0592FE47F0DF61 just happens to be the fingerprint of the Matrix.org key dated 2015-12-09.
It considers all /etc/apt/trusted.gpg* keys with that fingerprint to be evil, without much pre-install warning at this time. | 21:20:36 |
| Linda | https://lists.debian.org/debian-devel/2019/02/msg00182.html | 21:21:18 |
| shirish | my query is when it installs, it installs pretty much the same fingerprint , so why it thinks it's evil. | 21:21:40 |
| Linda | Would a simple explanation in this chat suffice, or should I also explain it while installing? | 21:22:03 |
