DietPi OS APT update warnings

Troubleshooting
1

I am running DietPi OS (v10.0.1) on a Raspberry Pi 4 (4GB) as a headless server for various LAN services (Jellyfin, Samba, Pi-hole, Unbound, Tailscale), and when updating, I see the following warnings:

Warning: http://archive.raspberrypi.org/debian/dists/bullseye/InRelease: Policy will reject signature within a year, see --audit for details

Warning: http://archive.raspberrypi.org/debian/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details

Although it tells me to “see audit for details,” I do not know what that means, nor where to go to see the audit.

Can anyone explain what these warnings mean, and how to resolve them? Thank you in advance!

2

This comes from APT’s signature verification system.

In short:

  • The Raspberry Pi archive signing key used for
    archive.raspberrypi.org
    is approaching an expiration or weak-policy threshold
  • APT is warning you in advance that:
    • Updates are still accepted now
    • But future APT versions will refuse that signature unless it’s refreshed

This is a heads-up, not a failure.

apt update --audit

3

Nothing need to be done

4

Thanks, Jappe, for the explanation regrading how to view the audit, which I have attached as an image (since new users can’t post more than two links at a time).

Joulinar is saying I do not need to to anything, but the audit recommends that I consider migrating all sources.list(5) entries to the deb822 .sources format, and that some sources can be modernized with the “apt modernize-sources” command. Will this refresh these signatures so that future APT versions will not refuse them?

And how do I “See apt-secure(8) for best practices in configuring repository signing“?

Audit-details
Audit-details1331×525 91 KB

5

https://manpages.debian.org/testing/apt/apt-secure.8.en.html

6

Thanks for the link. I read it, but this is all a bit above my head.

I just want to know what, if anything, needs to be done right now? Do I just wait until the day I can no longer update?

7

I guess I was clear enough. You don’t need to do anything now.

8

Thanks @Joulinar! Doing nothing is my specialty! However, I still wonder:

Why am I getting updates both from Bullseye (which is like 3 versions behind) and Trixie (which is the latest)? Shouldn’t I only have one?
I am on DietPi 10.0.1, which I understand is Bookworm, so why do I have Bullseye and Trixie and not just Bookworm?

9

Not sure if this is helpful, but when I run sudo dietpi-update, I see this:

DietPi-update
DietPi-update1361×612 90.6 KB

10

because this is how your Debian source files are configured. Maybe the Bullseye source is a leftover from past or you configured it manually.

depends on Debian source file configuration

Wrong understanding. DietPi version has nothing to do with Debian version. They are unrelated. Even DietPi is not an own operating system (os). It’s a set of bash scripts on top of Debian base

depends on Debian source file configuration

seems you updated your system to Trxie or you used a Trxie image right from start

Let’s check your source files

for i in /etc/apt/sources.list{,.d/*.list}; do echo "$i:"; cat "$i"; done

Btw there is absolutely no need to do screen prints. Simply copy / past the output from SSH terminal

11

Many thanks, I sincerely appreciate the quick responses here. At this stage, “wrong understanding” seems to be my default setting.

I joined the forum yesterday, thus when I try to simply copy/past terminal output, I get this warning: An error occurred: Sorry, new users can only put 2 links in a post.

If there is another way to post this without a screen print, please let me know. For now, here is the source file output:

source
source1207×366 17.9 KB

12

Simply use code block to copy your content

```
your text
```

This will avoid issues with url limitations

13

Here is the source file output:

/etc/apt/sources.list:
deb https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
deb https://deb.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware
/etc/apt/sources.list.d/dietpi-jellyfin.list:
deb https://repo.jellyfin.org/debian trixie main
/etc/apt/sources.list.d/dietpi-tailscale.list:
deb https://pkgs.tailscale.com/stable/debian trixie main
/etc/apt/sources.list.d/dietpi-webmin.list:
deb https://download.webmin.com/download/newkey/repository stable contrib
/etc/apt/sources.list.d/dietpi.list:
deb https://dietpi.com/apt trixie main
deb https://dietpi.com/apt all rpi
/etc/apt/sources.list.d/raspi-bullseye.list:
deb [signed-by=/usr/share/keyrings/raspberrypi-archive-keyring.gpg] http://archive.raspberrypi.org/debian/ bullseye main
/etc/apt/sources.list.d/raspi.list:
deb [signed-by=/usr/share/keyrings/raspberrypi-archive-keyring.gpg] http://archive.raspberrypi.org/debian/ trixie main
14

You need to remove following file

rm /etc/apt/sources.list.d/raspi-bullseye.list
apt update
15

I tried the command you provided, but there were errors:

rm: remove write-protected regular file '/etc/apt/sources.list.d/raspi-bullseye.list'? y
rm: cannot remove '/etc/apt/sources.list.d/raspi-bullseye.list': Permission denied
Error: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
Error: Unable to lock directory /var/lib/apt/lists/

When I ran command as sudo, I only see the errors:

Error: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
Error: Unable to lock directory /var/lib/apt/lists/

Not sure what to do from here…

16

These are 2 commands and both need root permissions. Best to use user root or you would need to add sudo to both commands

17

Understood–and thanks again! I ran the command with sudo but this is the output:
rm: cannot remove ‘/etc/apt/sources.list.d/raspi-bullseye.list’: No such file or directory

18

Yes the file is gone already because you removed it on one of the other attempts where you already used sudo, but just for the removal command

19

Again, thanks a million. I appreciate your patience with my confusion.

After updating, the file (and Bullseye-related warning) have indeed disappeared.

As for the other:

Warning: http://archive.raspberrypi.org/debian/dists/trixie/InRelease: Policy will reject signature within a year, see --audit for details

My understanding is that this is just a heads-up, no need to do anything!

Final question: The audit suggested I consider migrating all sources.list(5) entries to the deb822 .sources format, as well as running the ‘apt modernize-sources’ command. The migration sounds potentially difficult for me, but do you recommend I run the modernize sources command, and are there any (breakage) risks involved?

20

I did it yesterday on my system, you can just run apt modernize-sources, it will create backups of all of your .list files and convert them to .sources. There is then no /etc/apt/sources.list anymore, this one will then live at /etc/apt/sources.list.d/debian.sources.

The backed-up files are then suffixed with .bak

example:

root@RPi4:/etc/apt# tree sources.list.d
sources.list.d
├── crowdsec_crowdsec.list.bak
├── crowdsec_crowdsec.sources
├── debian-backports.sources
├── debian.sources
├── dietpi.list.bak
├── dietpi.sources
├── raspi.list.bak
└── raspi.sources


1 directory, 14 files
root@RPi4:/etc/apt# ls
insgesamt 32
drwxr-xr-x 2 root root 4096 25. Jan 23:34 apt.conf.d
drwxr-xr-x 2 root root 4096 10. Jun 2021  auth.conf.d
drwxr-xr-x 2 root root 4096 30. Dez 04:13 keyrings
drwxr-xr-x 2 root root 4096 24. Aug 14:25 preferences.d
-rw-r--r-- 1 root root  370 28. Aug 16:10 sources.list.bak
drwxr-xr-x 2 root root 4096 30. Jan 04:38 sources.list.d
drwxr-xr-x 2 root root 4096 30. Jan 04:27 sources.list.d.bak
drwxr-xr-x 2 root root 4096 30. Jan 04:36 trusted.gpg.d
root@RPi4:/etc/apt#