Re: Emdebian archive key for Lenny
* Neil Williams [Wed, 31 Dec 2008 14:59:47 +0000]:
> 3. Only put the Emdebian key into *udeb* (debian-archive-keyring-udeb)
> in Debian Lenny so that once the D-I images are updated for the final
> release, only the installer can verify the Emdebian archive - this
> means that the installed systems have no Emdebian keys installed unless
> the user subsequently chooses to install the relevant package from
> Debian. This change has no effect *unless* the installation is
> pre-seeded to use the Emdebian archive or the user deliberately enters
> the full Emdebian archive details into the relevant installation
Of all the options you suggest, #3 is the one that we consider the most
viable, provided that the d-i RMs agree to it. However:
> 2. Bring the Emdebian repository/server under the control of
> debian-release so that the repository can be signed by a key already in
> debian-archive-keyring, dropping the current Emdebian key completely, or
> 2a. Bring *a copy of the* Emdebian Grip repository under the control of
> debian-release so that it can be signed by a key already in
> debian-archive-keyring, or
There is a variation of this, which consist in us signing your Release
file at the time of Lenny release. This has the advantage that, should
either the Emdebian server or the Emdebian key become compromised,
installation using d-i is not compromised.
We'd be okay with doing this, since there is a trust path from the
Emdebian Release file (explicitly signed by you) to the Debian keyring,
and it only gets activated on request by the d-i user.
However, how often is the Emdebian Lenny Grip repository to be updated
throughout Lenny's lifetime? If it's to follow closely Lenny itself, and
only be updated at point releases, it's not too much hassle to sign an
extra Release file each time we sign Debian proper's. Is that what's
going to happen?
(OTOH I don't know if you plan on rebuilding lenny-security and
lenny-proposed-updates as well, but that should be less of a concern,
since those suites could be signed with the Emdebian key -- supposing
activating -security from d-i happens at a time that emdebian-keyring is
already installed an active, you should check that if you haven't).
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
The true teacher defends his pupils against his own personal influence.
-- Amos Bronson Alcott