Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.devel.testing > #1528
| From | Tsiang Elaine Reisler <ter@zipcon.net> |
|---|---|
| Newsgroups | linux.debian.bugs.dist, linux.debian.devel.testing |
| Subject | Bug#1132105: upgrade-reports: apt update fails, keys for https not in debian-archive-keyring from bookworm |
| Date | 2026-03-28 08:30 +0100 |
| Message-ID | <MDwhj-aSbz-1@gated-at.bofh.it> (permalink) |
| Organization | linux.* mail to news gateway |
Cross-posted to 2 groups.
Package: upgrade-reports Severity: important (Please provide enough information to help the Debian maintainers evaluate the report efficiently - e.g., by filling in the sections below.) My previous release is: bookworm I am upgrading to: trixie Trixie Archive date: after point release 13.4 3/14/26 Upgrade date: 3/23/26 uname -a after upgrade: Linux step 6.12.74+deb13+1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.74-2 (2026-03-08) x86_64 GNU/Linux Method: apt Contents of /etc/apt/debian.sources: Types: deb URIs: https://deb.debian.org/debian Suites: trixie trixie-updates Components: main contrib non-free non-free-firmware Signed-By: /usr/share/keyrings/debian-archive-keyring.pgp Types: deb URIs: https://security.debian.org/debian-security Suites: trixie-security Components: main contrib non-free non-free-firmware Signed-By: /usr/share/keyrings/debian-archive-keyring.pgp - no non-Debian packages installed before the upgrade - system was 'pure' - Did any packages fail to upgrade? apt update failed with Get:3 https://deb.debian.org/debian trixie-updates InRelease [47.3 kB] Err:1 https://deb.debian.org/debian trixie InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY 78DBA3BC47EF2265 NO_PUBKEY 762F67A0B2C39DE4 ... Further Comments/Problems: This is not exactly a "bug", but incomplete guidance, especially to users who do not closely track debian policy changes. The release notes for upgrading to trixie from bookworm strongly recommend upgrading via https. But if a naive user then sets up the above debian.sources in /etc/apt/sources.list.d/, she can not even apt update. It is especially puzzling because the keys for trixie appear to be in the bookworm keyrings. The solution is to use the prior http sources.list unsigned for trixie, install just debian-archive-keyring, then use debian.sources for the entire upgrade. This may be "insecure", but there seems to no work around. I am bug-reporting to suggest that you include this pointer, or a better work-around that I don't know about, in your recommendation for your users to transition to upgrading via https, for trixie or future releases. Web searches, especially with the current interference from AI, gain worse than nothing. Please attach the output of "COLUMNS=200 dpkg -l" (or "env COLUMNS ...", depending on your shell) from before and after the upgrade so that we know what packages were installed on your system.
Back to linux.debian.devel.testing | Previous | Next | Find similar
Bug#1132105: upgrade-reports: apt update fails, keys for https not in debian-archive-keyring from bookworm Tsiang Elaine Reisler <ter@zipcon.net> - 2026-03-28 08:30 +0100
csiph-web