Brave-browser: Missing dependency on brave-keyring on the deb package of v0.66.99

Channels beta (v0.67.100), dev (v0.68.88) and nightly (v0.69.27) install with no problems, because none depends on brave-keyring, so I updated the info above.

Confirmed installing the deb file shows an error about keyring.

cc: @fmarier @mbacchi

I just checked the changelog on reddit, here and I found out that the dependency on brave-keyring is because of issue #4205
https://old.reddit.com/r/brave_browser/comments/c8b494/release_channel_v06699_is_live/

I have an idea. How about making brave-keyring a recommended dependency? By default, apt installs anything listed as a recommended dependency, so this will allow brave-keyring to be installed for the average user who uses apt's default configuration but, at the same time, not be an issue for an advanced user who does not install recommended dependencies.

There is also the option to add the key manually, post-installation, e.g. with a script that executes something like that

wget http://example.com/brave.key
apt-key add brave.key
rm brave.key

Chrome's and opera's deb packages add their repos' keys by themselves once the installation is done, so you can take a look on how they do it. They do not use a keyring package at all.

While you're right that this is not very user-friendly, that's the expected behavior with Debian packages. dpkg is a low-level tool which doesn't automatically resolve dependencies. The tool which does is apt.

In general, it's not possible to install packages directly with dpkg. The only time that works is when the packages being installed are leaf packages (i.e. no dependencies).

That said, working around this limitation of dpkg is easy. Simply run apt install -f afterwards. In other words, assuming you have the repository configured, the full list of steps would look like this:

wget https://github.com/brave/brave-browser/releases/download/v0.66.99/brave-browser_0.66.99_amd64.deb
dpkg -i brave-browser_0.66.99_amd64.deb
apt install -f

See https://brave-browser.readthedocs.io/en/latest/installing-brave.html#linux for our official installation instructions.

I have read the instructions and they do not work for me becaiuse I am on debian. In fact, the variable "$UBUNTU_CODENAME" there returns nothing, so the rest of it breaks down.
I can install the key as described in the first part, before "source blablabla", but it is pointless since I can not use the repo.

Also, my issue report here is about a package that is not available to install, yet it is a direct dependency, not for the key itself. Keys are used to sign repos that contain packages.
If you are willing to make a repo (or use an part of the existing one) for debian, I am willing to verify if it works.

The repo does work on Debian, but you're right that our instructions don't quite work for that distro yet. Here's how to make it work properly: https://community.brave.com/t/unable-to-install-brave-browser-in-my-debian-os-distro/43891/6

For starters, I won't use an ubuntu repo on my debian install. The reason is simple: frankendebian (google it if you do not know what it means).

I tried adding this line as a source

deb https://brave-browser-apt-release.s3.brave.com/ stable main

but it results to a 403 error (forbidden) and apt reports this
E: Failed to fetch https://brave-browser-apt-release.s3.brave.com/dists/stable/main/binary-amd64/Packages 403 Forbidden [IP: 151.101.2.217 443]

Changing "stable" to "stretch", like so

deb https://brave-browser-apt-release.s3.brave.com/ stretch main

makes apt complain only about the missing keyring

W: GPG error: https://brave-browser-apt-release.s3.brave.com stretch InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4FE13824E3FFC656

which can be resolved by installing brave-keyring, so the repo line is fine.

However, since stretch will be labeled "oldstable" this Saturday (July 6th 2019) with the release of debian 10, aka buster, I tried "buster" there and it still works, mentioning only the missing key as above.

W: GPG error: https://brave-browser-apt-release.s3.brave.com buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4FE13824E3FFC656

Changing "stable" to "testing" or "unstable", in order to avoid all those codenames which I can not even remember after 11.5+ years on debian, still pops the 403 error.
Things would be a lot easier if the repo allowed http access from a browser to its root folder, i.e. this

https://brave-browser-apt-release.s3.brave.com/dists/

but it does not, so the right way can only be found via trial and error.

Finally, I won't mind installing/upgrading to beta (or nightly or dev) version by manually downloading and installing the deb file from github each time, provided that these debs do not list brave-keyring as a direct dependency, for both now and in the future.

p.s. I have ommited the [arch=amd64] part of the repo lines since I am on amd64 architecture and I do not use... foreign architectures on my system. I think it would be reasonable to state somewhere that the deb and rpm repos provide packages for the amd64 architecture only.

While you're right that this is not very user-friendly, that's the expected behavior with Debian packages. dpkg is a low-level tool which doesn't automatically resolve dependencies. The tool which does is apt.

In general, it's not possible to install packages directly with dpkg. The only time that works is when the packages being installed are leaf packages (i.e. no dependencies).

That said, working around this limitation of dpkg is easy. Simply run apt install -f afterwards. In other words, assuming you have the repository configured, the full list of steps would look like this:

wget https://github.com/brave/brave-browser/releases/download/v0.66.99/brave-browser_0.66.99_amd64.deb
dpkg -i brave-browser_0.66.99_amd64.deb
apt install -f

I completely missed that reply. sorry.
What you suggest is not doable because once I run apt-get install -f, apt will remove brave because it can not satisfy the dependencies.

$ sudo apt-get install -f
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Correcting dependencies... Done
The following packages will be REMOVED:
  brave-browser
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 250 MB disk space will be freed.
Do you want to continue? [Y/n] y

I know about the -f parameter, I used it the first time I installed brave in order to install the libappindicator libs that the package needs and I have used it many times in the past for similar deb packages.

For starters, I won't use an ubuntu repo on my debian install.

I understand the confusion and you're right about not wanting to mix packages between the Debian and Ubuntu repositories. There be dragons.

Despite the name in our repo configuration, the packages are not specific to Ubuntu. The same packages are used for all Debian-based distros. The package you got from GitHub is exactly what you get from the repo regardless of the keyword you use in the repo config file. We have an issue open to address that by removing the distro-specific names and replacing that with the word "stable", just like Google does it for their official Chrome repositories.

However, since stretch will be labeled "oldstable" this Saturday (July 6th 2019) with the release of debian 10, aka buster, I tried "buster" there and it still works, mentioning only the missing key as above.

Similarly, the package you get when you specific stretch is the exact same one from when you specify bionic. That's why we want to get rid of all of these distro-specific names and use the same name for all since there's only one version of the brave-browser package, specifying the distro name is unnecessary.

In any case, if you followed my instructions using stretch instead of bionic then you have a working and supported setup. When we migrate to the single name for all distros (i.e. stable), we will maintain the old names for backward compatibility.

Understood. Thank you :)
Now that the conversation has moved to the repos, I would like to add the following.

On the forementioned instructions page, if you substitute $UBUNTU_CODENAME with $VERSION_CODENAME, you get the debian equivalent of the repo. It is that simple, it works for debian 8 (jessie), 9 (stretch) and 10 (buster) and for all version of brave (stable, beta, dev and nightly).

On the forementioned instructions page, if you substitute $UBUNTU_CODENAME with $VERSION_CODENAME, you get the debian equivalent of the repo.

Good idea, I filed #5156 for this.

It doesn't seem to work on Debian 9 though:

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

I do not have a debian 9 (or 8) installation so as to check, sorry. I will check what the /etc/os-release on those versions say and post back later.

However, if you replace just their codename here
deb https://brave-browser-apt-release.s3.brave.com/ buster mainrelease.s3.brave.com/ buster main
the repo line is fine because apt does not pop up the 403 error.

On the other hand, the output of lsb_release -sc (-s is for short, -c is for the codename) will give you the same info and I believe it works on ubuntu too. However, I have no idea how to put it on that one liner with echo "deb blablabla".

---edit
You are right. Debian 8's /etc/os-release file says these

PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

and debian 9's file says these

PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

so a better solution is needed.

A minor thing I noticed that is relevant to the above but not worth opening a seperate issue.

I saw that brave's apt repo uses https, so, in order for apt to access it, apt should be "https=capable".
Apt natively supports https in version 1.6.0 and newer, but it needs apt-transport-https to support it on version 1.5.x and older.
This means that apt-transport-https must also be installed for ubuntu 14.04 (and mint 17.x, both eol by now), ubuntu 16.04 (and mint 18.x) and debian 9 (codenamed stretch). So please, add it as an additional step on the instructions for each distro.

Thank you.

p.s. Do not make the apt-transport-https package a dependency for brave-browser because it will install it on the newer distros as well, and there it is just a transitional package that apt will remove as unneeded the next time "apt-get autoremove" is run.

@pitsi I've created #5343 so that we can track this properly.

@fmarier this is a dupe of #5343 correct? Just double checking a this one is labelled as QA/Yes and #5343 is labelled as QA/No. If this is a dupe, lets add the duplicate label and remove the QA/Yes and priority/P3 labels and use #5343 instead.

No, they're different. The issue in this one is the missing dependency on the brave-keyring package whereas the issue in #5343 is the missing dependency on apt-transport-https.