Apt update today with "Notice"

shigeru · January 23, 2025, 3:58am

Hello,

I have got unusual Notices with apt update today;

shigeru@mntpr-0:~$ sudo apt update
[sudo] password for shigeru: 
Get:1 http://deb.debian.org/debian unstable InRelease [205 kB]
Get:2 http://deb.debian.org/debian unstable/main arm64 Packages.diff/Index [63.6 kB]
Ign:3 https://mntre.com/reform-debian-repo reform InRelease                    
Hit:4 https://deb.torproject.org/torproject.org trixie InRelease          
Get:5 http://deb.debian.org/debian unstable/main Translation-en.diff/Index [63.6 kB]
Get:6 http://deb.debian.org/debian unstable/main all Contents (deb).diff/Index [63.8 kB]
Get:7 http://deb.debian.org/debian unstable/main arm64 Contents (deb).diff/Index [63.9 kB]
Hit:8 https://mntre.com/reform-debian-repo reform Release
Ign:9 https://mntre.com/reform-debian-repo reform Release.gpg                  
Get:10 http://deb.debian.org/debian unstable/main arm64 Packages T-2025-01-23-0207.46-F-2025-01-22-2008.16.pdiff [54.5 kB]
Get:10 http://deb.debian.org/debian unstable/main arm64 Packages T-2025-01-23-0207.46-F-2025-01-22-2008.16.pdiff [54.5 kB]
Get:11 http://deb.debian.org/debian unstable/main Translation-en T-2025-01-23-0207.46-F-2025-01-22-2008.16.pdiff [2,197 B]
Get:11 http://deb.debian.org/debian unstable/main Translation-en T-2025-01-23-0207.46-F-2025-01-22-2008.16.pdiff [2,197 B]
Get:12 http://deb.debian.org/debian unstable/main all Contents (deb) T-2025-01-23-0207.46-F-2025-01-22-2008.16.pdiff [11.3 kB]
Get:12 http://deb.debian.org/debian unstable/main all Contents (deb) T-2025-01-23-0207.46-F-2025-01-22-2008.16.pdiff [11.3 kB]
Get:13 http://deb.debian.org/debian unstable/main arm64 Contents (deb) T-2025-01-23-0207.46-F-2025-01-22-2008.16.pdiff [35.4 kB]
Get:13 http://deb.debian.org/debian unstable/main arm64 Contents (deb) T-2025-01-23-0207.46-F-2025-01-22-2008.16.pdiff [35.4 kB]
Get:14 http://deb.debian.org/debian unstable/main arm64 Components [4,655 kB]  
Fetched 5,219 kB in 36s (143 kB/s)                                             
80 packages can be upgraded. Run 'apt list --upgradable' to see them.
Notice: Missing Signed-By in the sources.list(5) entry for 'http://deb.debian.org/debian'
Notice: Missing Signed-By in the sources.list(5) entry for 'https://mntre.com/reform-debian-repo'
Notice: Consider migrating all sources.list(5) entries to the deb822 .sources format
Notice: The deb822 .sources format supports both embedded as well as external OpenPGP keys
Notice: See apt-secure(7) for best practices in configuring repository signing.

Should I follow the suggestion in the Notice, or is there Pocket Reform particular way that this issue should be addressed? Just wanted to ask before proceeding ahead.

Thanks.

josch · January 23, 2025, 5:51am

You are not alone. This has been a hot topic in #debian-devel as well as #debian-next since yesterday. Summary is, that the latest version of apt landed in unstable the day before yesterday added these notice-level messages while at the same time leaving the user pretty-much hanging when it comes to how to accomplish this. The manual pages that these messages point to are not giving easy to apply suggestions either.

In summary, the plan seems to be that apt will prefer deb822 sources.list files with signed-by fields. What is now a notice-level message, will likely become a warning at some point. I’d assume though that long before that happens, apt will provide some way to easily turn your one-line sources.list into deb822 format or something.

So this topic is not reform specific. It affects literally all Debian users except those who manually wrote their apt sources.list files in deb822 format. By default, debian-installer still writes out the one-line format and so does nearly every chroot or container creation tool. A lot of users are affected by this and will see these messages. I’d assume that most of them are asking the same question as you do.

You can follow apt’s suggestion and mangle your sources.list files. But this is only a notice-level message so if I were you, I’d first wait for apt to provide you with some automated tool to do this work for you. I don’t think that we’ll release Trixie (which, by default, uses the one-line format without signed-by) without a way to automatically convert millions of user’s setups…

shigeru · January 25, 2025, 10:52pm

Thank you for the clarification.

Since the trouble I got myself in with the casual updating, I have been relatively attentive with the messages, as you can see.

I ended up converting to deb822 format:

Enabled: yes
Types: deb
URIs: http://deb.debian.org/debian
Suites: unstable
Components: main non-free-firmware

Now, only Notice: Missing Signed-By in the sources.list(5) entry... remains. However, things have been working without issue so far, as you clarified.

Much appreciations.