If one should happen to have redirected /usr/bin/gpg to run GnuPG 2.x
rather than the more usual GnuPG 1.x, the apt_key provider fails with
the following error:
Could not prefetch apt_key provider 'apt_key': invalid date
This is because the output of "--with-colons" defaults to using
"fixed-list-mode" in 2.x but did not do so for 1.x. This new format
gives much more information about keys and also uses timestamps in
seconds from 1970-01-01 (UNIX epoch) rather than dates in the format
YYYY-MM-DD.
This patch adds "--fixed-list-mode" when calling apt-key, and adjusts
the code to parse the timestamps instead. This actually has several
advantages:
- Works the same with GnuPG 1.x and 2.x.
- More accurate expiry time tracking, not just entire days.
- No need to require 'date' any longer.
- Will allow the provider to expose more key information in future.
Tested on:
- Debian Wheezy (Puppet 2.7.23, Ruby 1.8.7p358)
- Debian Jessie (Puppet 3.7.2, Ruby 2.1.5p273)
better attempt at gpg version checking
adding in key length warning
removing version check, adding key check
adding tests
clean up the code
small changes
use commands
documentation updates
In what universe does it make sense to create a `sources.list.d` entry
for a repository **without** specifying where this repository is?
😖😞😩😧😱
Only when removing the resource should a location not be required.
the apt module did not correctly detect Cumulus Linux with lsbdistid.
This change adds several lines in params.pp to detect Cumulus Linux and
set $distid and $distcodename
It is weird that `trusted_source` would default to `false` as that would
imply that we normally don't trust our sources. This is opposite to the
truth, by default we trust them but only if the Releases file can be
verified (meaning it is signed by a GPG key known to apt).
What we were telling apt is that it should trust this source even if the
Releases file and the repository is unsigned. This is better captured
with `allow_unsigned` and better highlights the danger of what you're
doing, installing packages from a source we cannot authenticate.
This makes its behaviour similar to the `update`, `proxy` and `purge`
hashes on the main classes bringing its API more in line with the rest
of the module.
`$xfacts` now contains and guards all `lsb*` facts. Looking up any
`lsb*`-related fact should now always be done through `$::apt::xfacts`
to ensure that the values are always set to either the value of the fact
or undef. This avoids all sorts of kerfuffles with strict variables.
A few of these fixes are absolutely horrendous but we have no choice as
we need to stay current- and future-parser compatible for now.
Once we can go Puppet 4 only we can use the `$facts` hash lookup instead
which will return undef/nil for things that aren't set instead of them
not being defined at all.
This was a great idea but is pretty pointless. It's also not being used
by anything and not exposed as a switch on the main class so it would
almost never affect any behaviour.
The behaviour of passing down undef through multiple layers gets fuzzy
so for now be explicit about the keyserver.
Once Puppet 4 is out and this behaviour has been crystallised and tested
we can revisit it.
