Making debootstrap fail by default on missing keyring is not going to
somehow make all the people who are using it insecurely learn about the
WoT and get a verified keyring.
The actual effect is it'll make a lot of documentation and probably
quite a lot of scripts obsolete/broken for a while, until everyone
learns to run deboostrap with --no-check-gpg to work around the change.
Which would be only a little annoying, but if everyone gets in the habit
of using debootstrap --no-check-gpg, they'll also use it when
debootstrapping Debian on Debian. We risk regressing to less
security by trying to shove complicated security down users' throats.
I actually think it would be more of a win to change the default mirror
url from the current http://ftp.us.debian.org/ to a https url. This
provides weak (CA) verification on systems without the Debian keyring,
which is considerably better than nothing.
A good candiate for such a mirror is https://mirrors.kernel.org/debian,
although it's not currently in the {ftp,http}.us.debian.org rotation for
some reason, and lacks IPv6. (None of the {ftp,http}.us.debian.org
mirrors currently support https.) Due to those limitations, and to avoid
overloading it, I've modified debootstrap to default to the https mirror only
when the gpg keyring is not available.
--
see shy jo
Attachment:
signature.asc
Description: Digital signature