Re: bits from the release team

To: Andreas Barth <aba@not.so.argh.org>
Cc: debian-devel@lists.debian.org
Subject: Re: bits from the release team
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Fri, 05 May 2006 00:11:49 +0200
Message-id: <[🔎] 878xphphi2.fsf@informatik.uni-tuebingen.de>
In-reply-to: <20060502203633.GR9262@mails.so.argh.org> (Andreas Barth's message of "Tue, 2 May 2006 22:36:33 +0200")
References: <20060502203633.GR9262@mails.so.argh.org>

Andreas Barth <aba@not.so.argh.org> writes:

>  - secure apt
> secure apt is now part of testing.  However, we need to do something for key
> management etc - so some small issues need to be resolved.

>From a usability standpoint I find this the largest problem in debian
today. Finding the right key and getting it added to apt has been a
problem for so many users already and those are only the etch/sid
users.

I have two suggestions on this subject:

1) Create debian/dists/<suite>/Release.key

I asked ftp-master before to place the respective key there but so far
nothing has happened.

The key should be placed in a common place for any apt-get-able
archive, be that debian, ubuntu, security, backports or any of the
others. Placing the key next to the Release and Release.gpg file is
the most logical place for both software and humans to find it.

Having Release.key be a keyring (instead of a single key) should allow
it to include revokations in case a key gets compromised, right?

2) 'apt-* update' should fetch Release.key

Keys should be fetchable directly from a debian archive, be that a cd,
file, ftp or http url in sources.list. I would prefer apt-get update
to do that when needed but if someone insists then apt-key update can
do it and apt-get can tell users about that for missing keys.

For obvious reasons a fetched key(ring) should not be silently added
to the apt keyring but checked first. That means checking all
signatures, showing the user the result [e.g. New key <id>: X
signatures check, Y signatures unknown, Z signatures
failed. Accept/Reject/Ignore/Details?] and let the user decide what to
do about it.

A user should not have to first research about gpg and apt-key at length
to find the correct syntax and definetly shouldn't be at loss as to
where to find the key as it is now.

Having the key in the debian-keyring package was a nice idea but
ultimatly useless. Sarge users can't fetch the new etch keyring
package because the signature doesn't match and the signature doesn't
match because the sarge keyring doesn't have the key. Fun fun fun.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: bits from the release team
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: Emacs out for lunch?
Next by Date: Bug#366069: ITP: fusesmb -- filesystem client based on the samba file transfer protocol
Previous by thread: Bug#366041: ITP: python-pastedeploy -- Load, configure, and compose WSGI applications and servers
Next by thread: Re: bits from the release team
Index(es):
- Date
- Thread