Web lists-archives.com

Re: Q: Where is keyring packaging guideline?




On Tue, Aug 21, 2018 at 2:39 PM, Paul Wise <pabs@xxxxxxxxxx> wrote:
> On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:
>
>> I want to make 3rd party keyring package (ITP). In the advance, I
>> want to know a best practice about *keyring* packaging. Any hints?
>
> There are some best practices for using 3rd party apt repos here:
>
> https://wiki.debian.org/DebianRepository/UseThirdParty
>
>>   sudo apt install -y -V --allow-unauthenticated foobar-keyring
>>   This is reasonable because there is no correct key yet before
>>   installing it.
>
> I don't think this is appropriate at all. Instead, always use an
> out-of-band mechanism for confirming the appropriate OpenPGP keys.
> Having the keyring package in Debian itself is a good idea, but at
> very bare minimum, download the key or fingerprint from a website that
> uses a valid TLS certificate according to the X.509 CA trust model.
>
>> So, I plan to make one more 3rd party keryring into Debian.
>
> That seems like a reasonable way to provide a secure mechanism to install it.

I think keyring package is restricted, and won't easily get passed NEW queue.
If 3rd party keyring is feasible, I wonder why we don't have the deb
multimedia [1] keyring [2] in archive.
And emdebian's keyring [3] didn't hit archive, either.

[1] https://www.deb-multimedia.org
[2] https://www.deb-multimedia.org/dists/sid/main/binary-amd64/package/deb-multimedia-keyring
[3] http://www.emdebian.org

Cheers,
-- 
Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1