Re: Q: Where is keyring packaging guideline?
- Date: Tue, 21 Aug 2018 13:39:29 +0800
- From: Paul Wise <pabs@xxxxxxxxxx>
- Subject: Re: Q: Where is keyring packaging guideline?
On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:
> I want to make 3rd party keyring package (ITP). In the advance, I
> want to know a best practice about *keyring* packaging. Any hints?
There are some best practices for using 3rd party apt repos here:
> sudo apt install -y -V --allow-unauthenticated foobar-keyring
> This is reasonable because there is no correct key yet before
> installing it.
I don't think this is appropriate at all. Instead, always use an
out-of-band mechanism for confirming the appropriate OpenPGP keys.
Having the keyring package in Debian itself is a good idea, but at
very bare minimum, download the key or fingerprint from a website that
uses a valid TLS certificate according to the X.509 CA trust model.
> So, I plan to make one more 3rd party keryring into Debian.
That seems like a reasonable way to provide a secure mechanism to install it.