Comment 1 for bug 1825239

Thanks, questions about this upload:

How do I know that keyrings/ubuntu-esm-v2-keyring.gpg is authentic? Not that I don't trust you, but when dealing with the installation of gpg keys that will be trusted by apt, it is useful to have a trust path that can be independently verified by someone other than the uploader (even if the set of people that can verify it is still limited, e.g. archive admins etc).

--- ubuntu-advantage-tools-10ubuntu0.14.04.2/apt.conf.d/51ubuntu-advantage-esm
1970-01-01 00:00:00.000000000 +0000
+++ ubuntu-advantage-tools-10ubuntu0.14.04.3/apt.conf.d/51ubuntu-advantage-esm
2019-04-18 17:24:38.000000000 +0000
@@ -0,0 +1,3 @@
+Unattended-Upgrade::Allowed-Origins {
+ "${distro_id}ESM:${distro_codename}-security";
+};

I think this is worth calling out in the changelog, since it changes the configuration of the system for all users even if the user does not enable esm.

+_apt_add_auth() {
+ local repo_host="$1"
+ local credentials="$2"
+
+ local login password
+ login=$(echo "$credentials" | cut -d: -f1)
+ password=$(echo "$credentials" | cut -d: -f2)
+ [ -d "$APT_AUTH_DIR" ] || mkdir -p "$APT_AUTH_DIR"
+ [ -f "$APT_AUTH_FILE" ] || touch "$APT_AUTH_FILE"
+ chmod 600 "$APT_AUTH_FILE"
+ echo "machine ${repo_host}/ login ${login} password ${password}" \
+ >>"$APT_AUTH_FILE"
+}

Does this mean that if I run 'ua enable-esm' twice, the file gets two entries? (Should this instead be > instead of >> so that it's idempotent?)

+_apt_remove_auth() {
+ local repo_host="$1"
+
+ sed -i "/^machine ${repo_host}\/ login/d" "$APT_AUTH_FILE"
+}

Given that this file is /etc/apt/auth.conf.d/90ubuntu-advantage which is exclusive to ESM, why sedding this out instead of deleting the file?

+deb https://${ESM_REPO_HOST}/ubuntu ${SERIES}-updates main
+# deb-src https://${ESM_REPO_HOST}/ubuntu ${SERIES}-updates main
+EOF

I would suggest that we don't enable -updates at this stage, and defer that until the new client lands.