[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: improving downloader packages (was: Re: holes in secure apt)

Christoph Anton Mitterer dijo [Wed, Jun 18, 2014 at 04:21:36AM +0200]:
> On Mon, 2014-06-16 at 20:14 +0200, Jakub Wilk wrote: 
> > debian-keyring is not useful for automatic authentication of source 
> > packages.
> Well to be honest I never fully understood the idea behind
> debian-keyring...
> IMHO this should be actually debian-developers-keyring and it should be
> intended just for offline systems (and thus have only little use in the
> real world).
> (...)

Thanks for bringing this topic up. I'm snipping your very detailed
implementation proposal, which does not sound like it was written at
4AM at all ;-)

I do feel the keyring-maint package is a leftover from days long
gone. Nowadays the keyring is kept at a DVCS tree, and regularly
exported to a publicly accessible instance. Furthermore, it stores its
full history, so you can even check if $foo was a valid key at some
point in the past.

FWIW, I was thinking about including the possible disappearance as one
of the points to talk about in the DebConf BoF we proposed regarding

Attachment: signature.asc
Description: Digital signature

Reply to: