Web lists-archives.com

Re: Q: Where is keyring packaging guideline?





Hi,

2018年8月21日(火) 14:39 Paul Wise <pabs@xxxxxxxxxx>:
>
> On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:
>
> > I want to make 3rd party keyring package (ITP). In the advance, I
> > want to know a best practice about *keyring* packaging. Any hints?
>
> There are some best practices for using 3rd party apt repos here:
>
> https://wiki.debian.org/DebianRepository/UseThirdParty

Thanks!
I've not checked it, so it is very helpful.
It seems that what I want exactly.

> >   sudo apt install -y -V --allow-unauthenticated foobar-keyring
> >   This is reasonable because there is no correct key yet before
> >   installing it.
>
> I don't think this is appropriate at all. Instead, always use an
> out-of-band mechanism for confirming the appropriate OpenPGP keys.
> Having the keyring package in Debian itself is a good idea, but at
> very bare minimum, download the key or fingerprint from a website that
> uses a valid TLS certificate according to the X.509 CA trust model.

I know that it is not appropriate way, but I didn't know that wiki page [1] at that time.

[1] https://wiki.debian.org/DebianRepository/UseThirdParty

> > So, I plan to make one more 3rd party keryring into Debian.>
> That seems like a reasonable way to provide a secure mechanism to install it.

Now I understand that it is good enough to follow the instruction on wiki content about 3rd party repository. [1]
No need to do 3rd party keyring ITP in this case.

Thanks for all kindly advice!

--
Kentaro Hayashi <kenhys@xxxxxxxxx>