Web lists-archives.com

Re: Q: Where is keyring packaging guideline?

On Tue, Aug 21, 2018 at 2:39 PM, Paul Wise <pabs@xxxxxxxxxx> wrote:
> On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:
>> I want to make 3rd party keyring package (ITP). In the advance, I
>> want to know a best practice about *keyring* packaging. Any hints?
> There are some best practices for using 3rd party apt repos here:
> https://wiki.debian.org/DebianRepository/UseThirdParty
>>   sudo apt install -y -V --allow-unauthenticated foobar-keyring
>>   This is reasonable because there is no correct key yet before
>>   installing it.
> I don't think this is appropriate at all. Instead, always use an
> out-of-band mechanism for confirming the appropriate OpenPGP keys.
> Having the keyring package in Debian itself is a good idea, but at
> very bare minimum, download the key or fingerprint from a website that
> uses a valid TLS certificate according to the X.509 CA trust model.
>> So, I plan to make one more 3rd party keryring into Debian.
> That seems like a reasonable way to provide a secure mechanism to install it.

I think keyring package is restricted, and won't easily get passed NEW queue.
If 3rd party keyring is feasible, I wonder why we don't have the deb
multimedia [1] keyring [2] in archive.
And emdebian's keyring [3] didn't hit archive, either.

[1] https://www.deb-multimedia.org
[2] https://www.deb-multimedia.org/dists/sid/main/binary-amd64/package/deb-multimedia-keyring
[3] http://www.emdebian.org

Roger Shimizu, GMT +9 Tokyo
PGP/GPG: 4096R/6C6ACD6417B3ACB1