[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian derivatives census: repository OpenPGP key distribution?

Hi all,

The derivatives census has long needed to properly verify signatures of
the apt repositories of derivatives in the census. Until now we have
been faking good signatures using somewhat brittle hacks.

To that end, I'd like to hear about derivatives' handling of apt
repository OpenPGP keys. Based on the discussion I'll update the census
template to get more info and try to work on improving the situation.

I'm particularly interested in a few things:

How would new users bootstrap trust of your keys?

How do you handle updates to your keys?

How do you handle replacement of your keys?

How would Debian users securely obtain your keys for use in chdist or
apt-venv? These allow running apt commands on alternative repositories
without adding those repos to your system configuration.



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: