Skip to content

build: update debian-archive-keyring for archived debian repos, fixes #7320#7324

Merged
stasadev merged 4 commits into
ddev:mainfrom
stasadev:20250521_stasadev_archived_debian
May 22, 2025
Merged

build: update debian-archive-keyring for archived debian repos, fixes #7320#7324
stasadev merged 4 commits into
ddev:mainfrom
stasadev:20250521_stasadev_archived_debian

Conversation

@stasadev

@stasadev stasadev commented May 21, 2025

Copy link
Copy Markdown
Member

The Issue

How This PR Solves The Issue

  • installs or updates debian-archive-keyring, which fixes the problem with Debian gpg keys
  • no need to remove obsolete MySQL 5.5/5.6 Jessie and before keys, we don't check them with check_key_expirations.sh
  • unifies PostgreSQL logic; adding new Debian EOL releases to the if condition is now simpler
  • removes non-working /etc/apt/sources.list.d/mysql.list from mysql:5.6
  • adds debian-security updates repo for stretch
  • uses vim-tiny instead of vim for PostgreSQL db image
  • replaces <distro>-pgdg main with <distro>-pgdg-archive main for PostgreSQL
    (pgdg-archive has more packages, see https://apt-archive.postgresql.org/)

Manual Testing Instructions

Using AMD64 machine, test MySQL 5.5:

See errors here:

$ docker run --rm -it --entrypoint=bash ddev/ddev-dbserver-mysql-5.5:v1.24.6 -c "apt-get update"
Ign:1 http://archive.debian.org/debian stretch InRelease
Hit:2 http://repo.percona.com/prel/apt stretch InRelease
Hit:3 http://archive.debian.org/debian stretch Release
Hit:4 http://repo.percona.com/pxb-24/apt stretch InRelease
Err:5 http://archive.debian.org/debian stretch Release.gpg
  The following signatures were invalid: EXPKEYSIG 04EE7237B7D453EC Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org> EXPKEYSIG EF0F382A1A7B6500 Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org> The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.debian.org/debian stretch Release: The following signatures were invalid: EXPKEYSIG 04EE7237B7D453EC Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org> EXPKEYSIG EF0F382A1A7B6500 Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org> The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
W: Failed to fetch http://archive.debian.org/debian/dists/stretch/Release.gpg  The following signatures were invalid: EXPKEYSIG 04EE7237B7D453EC Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org> EXPKEYSIG EF0F382A1A7B6500 Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org> The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
W: Some index files failed to download. They have been ignored, or old ones used instead.

No errors:

$ docker run --rm -it --entrypoint=bash ddev/ddev-dbserver-mysql-5.5:20250521_stasadev_archived_debian -c "apt-get update"
Ign:1 http://archive.debian.org/debian stretch InRelease
Hit:2 http://repo.percona.com/prel/apt stretch InRelease
Hit:3 http://archive.debian.org/debian-security stretch/updates InRelease
Hit:4 http://repo.percona.com/pxb-24/apt stretch InRelease
Hit:5 http://archive.debian.org/debian stretch Release
Reading package lists... Done

Using AMD64 machine, test MySQL 5.6:

$ docker run --rm -it --entrypoint=bash ddev/ddev-dbserver-mysql-5.6:v1.24.6 -c "apt-get update"
Ign:1 http://archive.debian.org/debian stretch InRelease
Get:2 http://repo.mysql.com/apt/debian stretch InRelease [21.6 kB]
Hit:3 http://repo.percona.com/prel/apt stretch InRelease                       
Hit:4 http://archive.debian.org/debian stretch Release                   
Hit:5 http://repo.percona.com/pxb-24/apt stretch InRelease               
Ign:2 http://repo.mysql.com/apt/debian stretch InRelease
Fetched 21.6 kB in 1s (21.3 kB/s)
Reading package lists... Done
W: GPG error: http://repo.mysql.com/apt/debian stretch InRelease: The following signatures were invalid: EXPKEYSIG 8C718D3B5072E1F5 MySQL Release Engineering <mysql-build@oss.oracle.com>
W: The repository 'http://repo.mysql.com/apt/debian stretch InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

No errors:

$ docker run --rm -it --entrypoint=bash ddev/ddev-dbserver-mysql-5.6:20250521_stasadev_archived_debian -c "apt-get update"
Ign:1 http://archive.debian.org/debian stretch InRelease
Hit:2 http://repo.percona.com/prel/apt stretch InRelease
Hit:3 http://archive.debian.org/debian-security stretch/updates InRelease
Hit:4 http://repo.percona.com/pxb-24/apt stretch InRelease
Hit:5 http://archive.debian.org/debian stretch Release
Reading package lists... Done

And test different PostgreSQL configs (ddev start confirms successful installation):

(PostgreSQL 9,10,11 will work on AMD64 only)

# debian stretch
ddev config --database=postgres:9 --dbimage-extra-packages=postgresql-9.6-postgis-2.3,postgresql-9.6-postgis-scripts,postgis
ddev start
ddev delete -Oy
# debian stretch
ddev config --database=postgres:10 --dbimage-extra-packages=postgresql-10-postgis-2.4,postgresql-10-postgis-2.4-scripts,postgis
ddev start
ddev delete -Oy
# debian stretch
ddev config --database=postgres:11 --dbimage-extra-packages=postgresql-11-postgis-2.5,postgresql-11-postgis-2.5-scripts,postgis
ddev start
ddev delete -Oy
# debian bookworm
ddev config --database=postgres:12 --dbimage-extra-packages=postgresql-12-postgis-3,postgresql-12-postgis-3-scripts,postgis
ddev start
ddev delete -Oy

Automated Testing Overview

Release/Deployment Notes

@stasadev stasadev requested a review from a team as a code owner May 21, 2025 21:59
@github-actions github-actions Bot added dependencies Pull requests that update a dependency file maintenance labels May 21, 2025
@github-actions

github-actions Bot commented May 21, 2025

Copy link
Copy Markdown

@rfay

rfay commented May 21, 2025

Copy link
Copy Markdown
Member

So impressive!

@rfay rfay left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, minimal risk, much better approach.

Comment thread containers/ddev-dbserver/Dockerfile Outdated
echo "deb http://archive.debian.org/debian/ stretch main contrib non-free" >/etc/apt/sources.list; \
# Fix APT for Debian Stretch (EOL; upstream mirrors disabled)
# Based on: https://serverfault.com/a/1131653
RUN if grep "Debian GNU/Linux 9" /etc/issue >/dev/null; then \

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be better/easier with a heredoc these days, no need to change unless you want to. https://www.docker.com/blog/introduction-to-heredocs-in-dockerfiles/

DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends --no-install-suggests -o APT::Get::AllowUnauthenticated=true debian-archive-keyring; \
fi
# Remove obsolete MySQL 5.5/5.6 Jessie and before keys so they don't make expiration key test stumble
RUN for item in "75DD C3C4 A499 F1A1 8CB5 F3C8 CBF8 D6FD 518E 17E1" "126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010" "D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906" "A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553" "ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764"; do \

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What a nice thing to lose this!

Comment thread pkg/ddevapp/config.go Outdated
`, app.GetMinimalContainerTimeout())
}
extraDBContent = extraDBContent + fmt.Sprintf(`
RUN set -e; source /etc/os-release; if [ "${VERSION_CODENAME:-}" = "stretch" ] || [ "${VERSION_CODENAME:-}" = "buster" ]; then \

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again might be candidate for heredoc.

@stasadev

Copy link
Copy Markdown
Member Author

I refactored the logic to use heredoc.

@rfay rfay left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great to me. HEREDOC format may make it a little easier to maintain in the future.

@stasadev stasadev merged commit ee609d8 into ddev:main May 22, 2025
21 checks passed
@stasadev stasadev deleted the 20250521_stasadev_archived_debian branch May 22, 2025 15:39
@rfay

rfay commented Jun 15, 2025

Copy link
Copy Markdown
Member

debian buster has been moved to archive

Debian 10/buster completely moved to archive.d.o; removal from main archive soon

Hi,

the Debian 10/buster LTS updates have now also been imported to
archive.debian.org. We plan to remove 10/buster from the main and
security archives soon, that is in about four weeks or two weeks before
a planned Debian 13/trixie release, whichever happens sooner.

People interested in Debian history will have to refer to
archive.debian.org in the future.

Ansgar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file maintenance

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants