Hi all, The derivatives census has long needed to properly verify signatures of the apt repositories of derivatives in the census. Until now we have been faking good signatures using somewhat brittle hacks. To that end, I'd like to hear about derivatives' handling of apt repository OpenPGP keys. Based on the discussion I'll update the census template to get more info and try to work on improving the situation. I'm particularly interested in a few things: How would new users bootstrap trust of your keys? How do you handle updates to your keys? How do you handle replacement of your keys? How would Debian users securely obtain your keys for use in chdist or apt-venv? These allow running apt commands on alternative repositories without adding those repos to your system configuration. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part