Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Sun, 2008-06-22 at 22:39 +0200, Patrick Schoenfeld wrote:
> On Sun, Jun 22, 2008 at 09:37:46PM +0200, Goswin von Brederlow wrote:
> > PS: I would prefer if apt-get could fetch and verify keyring updates
> > directly from a repository though. Keyring packages are awfull for key
> > rollovers.
>
> Do you mean from a central repository, somewhat like a keyserver? :-)
> How would one check integrity then?
Precisely as you do with any key - signatures and gpg integrity checks
when the key is imported into apt-key.
The repository would simply provide the ASCII armoured GPG key file that
would be signed by keys belonging to relevant people - in that respect,
it's not that different to any package. The text file is useless without
being imported into gpg so the integrity checks in gpg provide the
integrity check.
--
Neil Williams <codehelp@debian.org>
Reply to: