Web lists-archives.com

Q: Where is keyring packaging guideline?


I want to make 3rd party keyring package (ITP). In the advance, I
want to know a best practice about *keyring* packaging. Any hints?


  When install packages from 3rd party repository,
  --allow-insecure-repositories must be specified to execute "apt

    sudo apt update --allow-insecure-repositories

  Then, need to install keyring package which 3rd party provides

    sudo apt install -y -V --allow-unauthenticated foobar-keyring

  This is reasonable because there is no correct key yet before
  installing it. But, if keyring is already available from Debian
  official repository, it makes easy to install for user which needs
  3rd party package.

  Steps without keyring in Debian (Before)
  1. enable 3rd party repository in /etc/apt/sources.list.d/foobar.list
  2. sudo apt update --allow-insecure-repositories
  3. sudo apt install -y -V --allow-unauthenticated foobar-keyring
  4. sudo apt update
  5. sudo apt install foobar-*

  Steps with keyring in Debian (After) without warnings
  1. enable 3rd party repository in /etc/apt/sources.list.d/foobar.list
  2. sudo apt install -y foobar-keyring
  3. sudo apt update
  4. sudo apt install foobar-*
  So, I plan to make one more 3rd party keryring into Debian.

What I think that package requirements for keyring:

  I've looked into some -keyring package, so I've learned from them
  but not convinced.

  * package name should be foobar-archive-keyring
  * package install keyring under /usr/share/keyrings
  * it is better to create symlink to actual keyring
    e.g. /etc/apt/trusted.gpg.d/foobar-archive-keyring.gpg to
  * confirm user to install keyring to /etc/apt/trusted.gpg.d/ by
    debconf. MUST or RECOMMENDED?


Kentaro Hayashi <kenhys@xxxxxxxxx>