Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository

[Robert Millan <rmh@aybabtu.com>]

On Sun, Jun 22, 2008 at 10:34:15PM +0200, Luk Claes wrote:
> Robert Millan wrote:
> > On Sat, Jun 21, 2008 at 03:52:12PM +0200, Alexander Wirt wrote:
> >> I'm still not that sure if its a good idea to add a non-offical debian repo
> >> keyring into the archive... But I let the decision to the ftp-masters..
> > 
> > Well, currently a problem is the only way to get a trusted path to the bpo
> > repository is by fetching debian-backports-keyring from it, checking your
> > signature in its .dsc, etc.  So this is what I'm trying to solve.
> 
> Hmm, are there not 2 other ways documented on backports.org as you can
> see below?
> --------------------------
>  If you are using etch and you want apt to verify the downloaded
> backports you can import backports.org archive’s key into apt:
> 
> apt-get install debian-backports-keyring
> 
> or
> 
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> gpg --export | apt-key add -
> 
> or
> 
> wget -O - http://backports.org/debian/archive.key | apt-key add -
> --------------------------

These examples just add the key to apt's keyring, but they don't provide any
trusted path to it.  One has to blindly believe that the key being downloaded
by apt-get, gpg [1] or wget belongs to its owner.

[1] In the gpg example, you could happen to have a trusted key in your database
    that provides a trusted path to bpo's key, but for the average user this is
    IMHO not an acceptable solution.

-- 
Robert Millan

<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)