[Bug 1433761] Re: apt-key and add-apt-repository don't honor Acquire::http::Proxy

Dmitrii Shcherbakov 1433761 at bugs.launchpad.net
Mon Dec 3 18:51:21 UTC 2018


{juliank, magnetik},

I checked add-apt-repository operation about a week ago while testing
some (unrelated) automation changes on bionic with proxy environment
variables and it was fine.

apt-key should not be used at all due to its deprecated functionality.

For your reference:

The manpage for apt-key mentions the following in a section about the
"add" command:
"Note: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension."

The support for /etc/apt/trusted.gpg.d/ goes back to 2010:
https://salsa.debian.org/nathanruiz-guest/apt/commit/c24f6ce22cd6720004addad2e3382b3caa6b1b7c

Debian is dropping apt-key usage as well based on what I see:
https://salsa.debian.org/live-team/live-build/merge_requests/11

Using "asc" in this directory is only supported as of apt 1.4 (on
versions before that gpg --dearmor can be used to transform a key to the
binary form).

https://salsa.debian.org/nathanruiz-guest/apt/commit/f77ea8235cafb258d1cb0b2b90e95aa36e5c4650
https://salsa.debian.org/nathanruiz-guest/apt/commit/2906182db398419a9c59a928b7ae73cf7c7aa307

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1433761

Title:
  apt-key and add-apt-repository don't honor Acquire::http::Proxy

Status in apt package in Ubuntu:
  Invalid
Status in software-properties package in Ubuntu:
  Fix Released

Bug description:
  When setting the proxy server globally on the system for the APT
  package manager, add-apt-repository ignores the setting. This issue is
  present on all versions of Debian that I have tested.

  # cat /etc/apt/apt.conf.d/80proxy 
  Acquire::http::proxy "http://w.x.y.z:nnnn/";

  # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5A9A06AEF9CB8DB0
  Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.TIa517Kcw8 --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyring /etc/apt/trusted.gpg.d/saltstack-salt.gpg --keyserver keyserver.ubuntu.com --recv-keys 5A9A06AEF9CB8DB0
  gpg: requesting key F9CB8DB0 from hkp server keyserver.ubuntu.com
  gpg: keyserver timed out
  gpg: keyserver receive failed: keyserver error

  This has serious repercussions. Unattended installs such as juju,
  maas, etc are all affected for anyone who is working behind a proxy.
  This is the case for most enterprise environments where such maas and
  juju setups will be tested out, and as such has great repercussions
  for Canonical as a viable supplier of OpenStack environments: if your
  product fails to install, you're not going to get the business.

  Considering that:

  * The setting to use already exists in /etc/apt/apt.conf and that all other tools use this correctly
  * The serious impact of this issue for downstream projects and Debian usage in the enterprise
  * The long time this issue has been standing and has affected people

  I suggest that this either

  1) be fixed, or
  2) the apt-key and add-apt-repository programs are renamed so that it is made clear they are not part of the APT suite of programs and therefor cannot be trusted to behave as if they were part of APT.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1433761/+subscriptions



More information about the foundations-bugs mailing list