Re: Q: Where is keyring packaging guideline?
- Date: Fri, 24 Aug 2018 23:54:26 +0300
- From: Adrian Bunk <bunk@xxxxxxxxxx>
- Subject: Re: Q: Where is keyring packaging guideline?
On Thu, Aug 23, 2018 at 05:59:45AM -0700, Sean Whitton wrote:
> On Tue 21 Aug 2018 at 10:25AM GMT, Peter Palfrader wrote:
> > I'm not convinced that 3rd party keyring packages belong in the Debian
> > archive.
> > If the software itself is good and free, then it belongs into Debian
> > itself.
> > However, we shouldn't start shipping random key material for various
> > other places that just happen to offer their software in a format that
> > is consumable by apt.
> Providing the keyrings just as data, and not automatically adding them
> as trusted by apt, might be useful for bootstrapping trust paths,
How will Debian provide and maintain such trust paths in stable?
If we ship it in a stable release, it is Debian that provides some
initial level of trust.
So far Debian has completely failed on properly vetting and
DSA-maintaining 3rd party keys in Debian releases.
> Sean Whitton
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed