Web lists-archives.com

Re: Q: Where is keyring packaging guideline?




On Tue, Aug 21, 2018 at 03:41:20PM +0200, Wouter Verhelst wrote:
>...
> I agree that having a key fingerprint on a valid TLS website is less
> good than having a trust anchor in Debian,
>...

The problem is that this is a trust anchor provided by Debian.

If a user installs the Emdebian or leap.se keyring package provided
in Debian stable, this makes any package from any source signed with
a corresponding private key trusted by Debian.

And any package installed from any repository has full root access on
your system, "adding a 3rd party repository" should really be considered
"giving root access to the people operating this repository".

This also opens the general question whether 3rd party repositories
should become strongly discouraged in general, and flatpak/snap/...
recommended instead.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed