Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
On Sun, Jun 22, 2008 at 10:34:15PM +0200, Luk Claes wrote:
> Robert Millan wrote:
> > On Sat, Jun 21, 2008 at 03:52:12PM +0200, Alexander Wirt wrote:
> >> I'm still not that sure if its a good idea to add a non-offical debian repo
> >> keyring into the archive... But I let the decision to the ftp-masters..
> >
> > Well, currently a problem is the only way to get a trusted path to the bpo
> > repository is by fetching debian-backports-keyring from it, checking your
> > signature in its .dsc, etc. So this is what I'm trying to solve.
>
> Hmm, are there not 2 other ways documented on backports.org as you can
> see below?
> --------------------------
> If you are using etch and you want apt to verify the downloaded
> backports you can import backports.org archive’s key into apt:
>
> apt-get install debian-backports-keyring
>
> or
>
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 16BA136C
> gpg --export | apt-key add -
>
> or
>
> wget -O - http://backports.org/debian/archive.key | apt-key add -
> --------------------------
These examples just add the key to apt's keyring, but they don't provide any
trusted path to it. One has to blindly believe that the key being downloaded
by apt-get, gpg [1] or wget belongs to its owner.
[1] In the gpg example, you could happen to have a trusted key in your database
that provides a trusted path to bpo's key, but for the average user this is
IMHO not an acceptable solution.
--
Robert Millan
<GPLv2> I know my rights; I want my phone call!
<DRM> What good is a phone call… if you are unable to speak?
(as seen on /.)
Reply to: