Re: Dropping Release and Release.gpg support from APT

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Dropping Release and Release.gpg support from APT

Philipp Kern-2
On 2019-07-09 20:53, Julian Andres Klode wrote:

> we currently have code dealing with falling back from InRelease
> to Release{,.gpg} and it's all a bit much IMO. Now that buster
> has been released with an InRelease file, the time has IMO come for
> us to drop support for the old stuff from APT!
>
> Timeline suggestion
> -------------------
> now         add a warning to apt 1.9.x for repositories w/o InRelease,
> but Release{,.gpg}
> Aug/Sep     turn the warning into an error, overridable with an option
> (?)
> Q1 2020     remove the code
>
> My idea being that we give this a cycle in the Ubuntu 18.10 stable
> release before we drop it, so people are ready for it.
>
> Why remove it?
> --------------
> * It's annoying UX to have repositories with Release files and the
> "Ign" lines
> * Handling the fallback from InRelease to Release{,.gpg} involves some
> abstractions
>   and logic and the less logic we have in security-relevant file
> fetching, the better

One thing worth noting in case we drop support for generating the files:
It looks like choose-mirror (no bug found) and net-retriever (bug in
[1]) in d-i still use Release and not InRelease. Found by investigating
annoying file races internally that would have been solved by
InRelease...

Kind regards
Philipp Kern

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926035