)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"8ef1dac0193a2d4e263281c6a63d556a8b67ce45","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"196e2b08_7ecc19dc","updated":"2022-03-02 15:43:34.000000000","message":"seems we got extrepo by https://review.opendev.org/c/openstack/kolla/+/772479","commit_id":"d8622b6d5dc12a3965b87d4a52b781a30dd330ab"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"f836f2794ccc721c4646d4997e533d7da9986d6d","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"bf81114f_3a93c737","in_reply_to":"00c14d33_ee716f10","updated":"2022-03-06 19:28:28.000000000","message":"A MITM could both replace the key and then serve pkgs signed with the replaced key, so this is in fact a valid concern IMO.\n\nextrepo has the key built into its data, so that makes an attack much more difficult: https://salsa.debian.org/extrepo-team/extrepo-data/-/blob/master/repos/debian/osbpo.yaml\n\nzigo is working on making extrepo have a builtin copy of that data, so as to avoid the dependency on salsa being reachable, I think that that is the better solution. The other way to fix the issue would be to place the key itself into kolla.","commit_id":"d8622b6d5dc12a3965b87d4a52b781a30dd330ab"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"6461a64c4a5bdda01486706dbe1aa7fab9e31908","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1fc291a6_4b012b0f","in_reply_to":"196e2b08_7ecc19dc","updated":"2022-03-02 15:45:42.000000000","message":"it seems the reason we used it is that we need gnupg key delivered securely - maybe we could just embed it in kolla if we can\u0027t get osbpo to serve https (though tbh it\u0027s lame it does not support https in 2022)","commit_id":"d8622b6d5dc12a3965b87d4a52b781a30dd330ab"},{"author":{"_account_id":24072,"name":"Marcin Juszkiewicz","email":"mjuszkiewicz@redhat.com","username":"hrw"},"change_message_id":"f17480f74ce26d523bf38e253f5dd09c33245b6f","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"00c14d33_ee716f10","in_reply_to":"1fc291a6_4b012b0f","updated":"2022-03-06 17:48:15.000000000","message":"If you MITM other key while fetching it over http then APT will complain:\n\n()[root@jagular sources.list.d]# cp /etc/kolla/apt-keys/treasuredata.asc  /var/lib/extrepo/keys/openstack_yoga.asc\n()[root@jagular sources.list.d]# apt update\nHit:1 http://osbpo.debian.net/debian bullseye-yoga-backports InRelease\nHit:2 http://deb.debian.org/debian bullseye InRelease\nHit:3 http://deb.debian.org/debian-security bullseye-security InRelease\nHit:4 http://osbpo.debian.net/debian bullseye-yoga-backports-nochange InRelease\nHit:5 http://deb.debian.org/debian bullseye-updates InRelease\nHit:6 http://deb.debian.org/debian bullseye-backports InRelease\nErr:1 http://osbpo.debian.net/debian bullseye-yoga-backports InRelease\n  The following signatures couldn\u0027t be verified because the public key is not available: NO_PUBKEY 56056AB2FEE4EECB\nErr:4 http://osbpo.debian.net/debian bullseye-yoga-backports-nochange InRelease\n  The following signatures couldn\u0027t be verified because the public key is not available: NO_PUBKEY 56056AB2FEE4EECB\nReading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nAll packages are up to date.\nW: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://osbpo.debian.net/debian bullseye-yoga-backports InRelease: The following signatures couldn\u0027t be verified because the public key is not available: NO_PUBKEY 56056AB2FEE4EECB\nW: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://osbpo.debian.net/debian bullseye-yoga-backports-nochange InRelease: The following signatures couldn\u0027t be verified because the public key is not available: NO_PUBKEY 56056AB2FEE4EECB\nW: Failed to fetch http://osbpo.debian.net/debian/dists/bullseye-yoga-backports/InRelease  The following signatures couldn\u0027t be verified because the public key is not available: NO_PUBKEY 56056AB2FEE4EECB\nW: Failed to fetch http://osbpo.debian.net/debian/dists/bullseye-yoga-backports-nochange/InRelease  The following signatures couldn\u0027t be verified because the public key is not available: NO_PUBKEY 56056AB2FEE4EECB\nW: Some index files failed to download. They have been ignored, or old ones used instead.\n\nRepository files are signed with private key and it has to match.","commit_id":"d8622b6d5dc12a3965b87d4a52b781a30dd330ab"}]}