[build] update isc-dhcp to 4.4.1-2.3+deb11u2 to fix build failure

[k-v1]

Why I did it

Fix #15000
isc-dhcp 4.4.1-2.3+deb11u1 is no longer available in debian repository

How I did it

update isc-dhcp to new version 4.4.1-2.3+deb11u2

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211

[patilshashidhar]

You may see gpg verification error caused by absence of the package signing gpg key.

isc-dhcp_4.4.1-2.3+deb11u2.dsc:
dscverify: isc-dhcp_4.4.1-2.3+deb11u2.dsc failed signature check:
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: Signature made Mon Feb 20 08:30:27 2023 UTC
gpg: using EDDSA key 3CA442833488100C04033811638B46815BBB308F
gpg: Can't check signature: No public key
gpg: can't create `/var/sananajk/.gnupg/random_seed': No such file or directory
Validation FAILED!!

[k-v1]

You may see gpg verification error caused by absence of the package signing gpg key.

That's why -u flag was added for dget:

       -u, --allow-unauthenticated
           Do not attempt to verify the integrity of downloaded source
           packages using dscverify.

This flag is already used for some packages like lm-sensors or bash.
Also sources of other packages are downloaded via wget.
I think this validation is useless if it's not enabled for all packages.
So we can disable it for this package too.

[liushilongbuaa]

LGTM.

[liushilongbuaa]

202211 branch needs this PR.

[xumia]

Is there a way to only allow expired signature when unauthenticated?

[k-v1]

Is there a way to only allow expired signature when unauthenticated?

I can try to investigate this later.

But I think better to implement another solution for web files someday.
Maybe special files with hashes of downloaded files like rules/isc-dhcp.hash containing md5 or sha256 of dsc file.
In this case we can validate files even with expired signatures.

[k-v1]

Is there a way to only allow expired signature when unauthenticated?

The keyrings maintained by the keyring-maint team are packaged in Debian as debian-keyring. This package is often not the most up to date version of the keyring, though it can be a good way to bootstrap trust if you trust the media you installed Debian from as the package will be verified using GnuPG when it is downloaded and installed. The installed keyrings are placed in /usr/share/keyrings.

We can install new version of debian-keyring via rsync and overwrite old files:
sudo rsync -az keyring.debian.org::keyrings/keyrings/ /usr/share/keyrings
In this case we get:

isc-dhcp_4.4.1-2.3+deb11u2.dsc:
      Good signature found
   validating isc-dhcp_4.4.1.orig.tar.gz
   validating isc-dhcp_4.4.1-2.3+deb11u2.debian.tar.xz
All files validated successfully.

But in theory it can break something else.
Maybe better solution now is just ignore a signature for isc-dhcp package.

[StormLiangMS]

LGTM

[mssonicbld]

Cherry-pick PR to 202211: #15022

[mssonicbld]

Cherry-pick PR to 202205: #15171