Re: Debian derivatives census: repository OpenPGP key distribution?
On 2019-05-06 11:46, Paul Wise wrote:
To that end, I'd like to hear about derivatives' handling of apt
repository OpenPGP keys. Based on the discussion I'll update the census
template to get more info and try to work on improving the situation.
BunsenLabs uses the Debian Stable repository as-is, and adds one of our
own for some additional packages (mostly config). I passed your enquiry
on to our webmaster and got the following reply. If there is anything
else we can clarify, please ask!
How would new users bootstrap trust of your keys?
* Installation of our derivative is possible using ISOs or installing
on top of plain Debian.
* ISO path:
* ISO contains the current keys
* ISO is downloaded using HTTPS (valid certificate) or BitTorrent
* Users are encouraged to check the ISO file against a detached PGP
signature (same signing key actually)
* The public key is retrievable using HTTPS
* Commands for verifying are listed on the install website
* Package path:
* Users retrieve the PGP key using HTTPS
* Users check the fingerprint
* Users import the key into their APT keyring
How do you handle updates to your keys?
* We forked the debian-keyring package as bunsen-keyring. See
* The package is included in the base ISO. The package is required by our
catch-all meta package if the user chose to install without our ISO
* Upon installation, the package ensures that the global APT keyring
contain our keys. The package deploys our keys to
* Updates to the keys thusly happen through our signed repository.
* The key is valid for 2 years and gets updated for another period before
expiration. If the user does not update his system within two years
once, he has to manually download the current keyring package using
How do you handle replacement of your keys?
In the context of the bunsen-keyring package, replacement and updates
same thing (exchanging the key file in /etc/apt/trusted.gpg.d).
How would Debian users securely obtain your keys for use in chdist or
apt-venv? These allow running apt commands on alternative repositories
without adding those repos to your system configuration.
I'm not familiar with these tools. Since we have the following available:
* Signing key at a HTTPS URL or keyring package at a HTTPS URL
* Signed, standard APT repository
* A catch-all meta package
and hard-depend on the standard Debian repositories, any tool that allows
specifying additional repositories, a key by URL and a package to
be suitable to deploy BL in a container or chroot (effectively being the
package-based install path from before).
BL was never meant to be bootstrapped without a Debian repo, so we do
single-source repositories and depend on repository composition instead.
And of course we also welcome any feedback.