Re: Debian derivatives census: repository OpenPGP key distribution?

To: debian-derivatives@lists.debian.org
Subject: Re: Debian derivatives census: repository OpenPGP key distribution?
From: John Crawley <john@bunsenlabs.org>
Date: Tue, 21 May 2019 12:50:45 +0900
Message-id: <[🔎] f4b7858b-1f7c-30d3-720c-d8fb9c7d6a3c@bunsenlabs.org>
Reply-to: john@bunsenlabs.org
In-reply-to: <[🔎] 100ecdf84ae9777ef7d5df41a969d7fb3273b963.camel@debian.org>
References: <[🔎] 100ecdf84ae9777ef7d5df41a969d7fb3273b963.camel@debian.org>

On 2019-05-06 11:46, Paul Wise wrote:

To that end, I'd like to hear about derivatives' handling of apt
repository OpenPGP keys. Based on the discussion I'll update the census
template to get more info and try to work on improving the situation.


Hi Paul,

BunsenLabs uses the Debian Stable repository as-is, and adds one of ourown for some additional packages (mostly config). I passed your enquiryon to our webmaster and got the following reply. If there is anythingelse we can clarify, please ask!


(start quote)
---

How would new users bootstrap trust of your keys?

* Installation of our derivative is possible using ISOs or installingpackages

    on top of plain Debian.

  * ISO path:
    * ISO contains the current keys
    * ISO is downloaded using HTTPS (valid certificate) or BitTorrent
    * Users are encouraged to check the ISO file against a detached PGP
      signature (same signing key actually)
    * The public key is retrievable using HTTPS
    * Commands for verifying are listed on the install website

  * Package path:
    * Users retrieve the PGP key using HTTPS
    * Users check the fingerprint
    * Users import the key into their APT keyring

How do you handle updates to your keys?


  * We forked the debian-keyring package as bunsen-keyring. See
    <https://github.com/BunsenLabs/bunsen-keyring>.

  * The package is included in the base ISO. The package is required by our

catch-all meta package if the user chose to install without our ISOimage.

* Upon installation, the package ensures that the global APT keyringdoesn'tcontain our keys. The package deploys our keys to/etc/apt/trusted.gpg.d.


  * Updates to the keys thusly happen through our signed repository.

  * The key is valid for 2 years and gets updated for another period before

expiration. If the user does not update his system within two yearsat leastonce, he has to manually download the current keyring package usingHTTPS.

How do you handle replacement of your keys?

In the context of the bunsen-keyring package, replacement and updatesare the

same thing (exchanging the key file in /etc/apt/trusted.gpg.d).

How would Debian users securely obtain your keys for use in chdist or
apt-venv? These allow running apt commands on alternative repositories
without adding those repos to your system configuration.


I'm not familiar with these tools. Since we have the following available:

  * Signing key at a HTTPS URL or keyring package at a HTTPS URL
  * Signed, standard APT repository
  * A catch-all meta package

and hard-depend on the standard Debian repositories, any tool that allows

specifying additional repositories, a key by URL and a package toinstall would

be suitable to deploy BL in a container or chroot (effectively being the
package-based install path from before).

BL was never meant to be bootstrapped without a Debian repo, so we donot offer

single-source repositories and depend on repository composition instead.
---
(end quote)

And of course we also welcome any feedback.
--
John

Reply to:

References:
- Debian derivatives census: repository OpenPGP key distribution?
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Debian derivatives census: repository OpenPGP key distribution?
Next by Date: Custom made logo products
Previous by thread: Re: Debian derivatives census: repository OpenPGP key distribution?
Next by thread: Debian derivatives census: CoreBiz: welcome Achim Leitner!
Index(es):
- Date
- Thread