Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository

To: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
Cc: debian-devel@lists.debian.org
Subject: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Mon, 23 Jun 2008 01:07:38 +0200
Message-id: <[🔎] 87abhdxe4l.fsf@frosties.localdomain>
In-reply-to: <[🔎] 20080622210638.GC4944@in-medias-res.com> (Patrick Schoenfeld's message of "Sun, 22 Jun 2008 23:06:38 +0200")
References: <[🔎] 20080621122748.GA20837@thorin> <[🔎] 20080621135212.GA27751@apu.snow-crash.org> <[🔎] 200806211935.05366.holger@layer-acht.org> <[🔎] 20080621173807.GB1591@connexer.com> <[🔎] 20080622161424.GA3293@in-medias-res.com> <[🔎] 485E951E.8070801@zombino.com> <[🔎] 87y74xw99x.fsf@frosties.localdomain> <[🔎] 20080622203912.GB4944@in-medias-res.com> <[🔎] 1214168083.3907.33.camel@dwarf.codehelp> <[🔎] 20080622210638.GC4944@in-medias-res.com>

Patrick Schoenfeld <schoenfeld@in-medias-res.com> writes:

> Hi Neil,
>
> On Sun, Jun 22, 2008 at 09:54:43PM +0100, Neil Williams wrote:
>> > Do you mean from a central repository, somewhat like a keyserver? :-)
>> > How would one check integrity then?
>> 
>> Precisely as you do with any key - signatures and gpg integrity checks
>> when the key is imported into apt-key.
>
> well I understood the proposal to do it automatically so it wouldn't
> happen like I handle it currently. Now I have the possibility to
> explicit allow and deny certain keys in my setup. I can do this by
> checking mostly objective standpoints but also because I don't like the
> nose of the one providing the repository, so to say.
>
> Thats an important point, because technical aspects cannot decide
> weither you trust someone or not (except for the trust level on the key)
> So the key would needed to be signed by someone who *I* actually trust.
>
> Regards,
> Patrick

For example: Each repository puts its keyring into Release.keyring
(next to Release and Release.gpg). The Release.keyring could be listed
with checksum in Release so frontends know it is there and when it
changes.

apt-get/aptitude update would automatically fetch Release.keyring into
/var/cache/apt/archives/partial/, pick out all changed keys and verify
their signatures with the existing apt keyring and possibly some
/usr/share/keyrings/*.

Depending on what signatures are found I could envision the following
next:

- Key rollover: changes can be verified with apts own keyring (new key
  is signed by old key). Accept key without interaction. A simple
  notice should do fine.

- Rollover failure but role-key verifiable: changes can not be
  verified by apts own keyring but by *-role-keys.gpg. Display the
  signatures and go interactive. Default should be to accept the key.

- No or loose verification: neither apts nor the *-role-keys.gpg keyrings
  can verify the change. Display the signatures indicating where
  e.g. debian-keyring.gpg can verify one and go interactive. Default
  should be NOT to accept the key. Users should really verify the key
  manually.

I'm not proposing that just any key should be silently accepted. Just
that it should be automatically fetched and independent of debs. I
already did run into a case where I could not update the keyring
package because the Release signature required the new keyring
package.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>

References:
- ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Robert Millan <rmh@aybabtu.com>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Alexander Wirt <formorer@debian.org>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Holger Levsen <holger@layer-acht.org>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Adam Majer <adamm@zombino.com>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Neil Williams <codehelp@debian.org>
- Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
  - From: Patrick Schoenfeld <schoenfeld@in-medias-res.com>

Prev by Date: Policy question - deleting files belonging to another package
Next by Date: Re: Policy question - deleting files belonging to another package
Previous by thread: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Next by thread: Re: ITP: debian-backports-keyring -- GnuPG archive key of the backports.org repository
Index(es):
- Date
- Thread