Re: improving downloader packages (was: Re: holes in secure apt)
Christoph Anton Mitterer dijo [Fri, Jun 20, 2014 at 10:24:07PM +0200]:
> > I do feel the keyring-maint package is a leftover from days long
> > gone. Nowadays the keyring is kept at a DVCS tree, and regularly
> > exported to a publicly accessible instance.
> Any reason for that "internal" repo? I mean what speaks against the idea
> of expressing everything via signatures by some special keys (which was
> probably the core idea of my proposal)
We want the repo to show what is "truth" at a given point in time. If
we shared our working tree, there'd be space for confusion on keys we
have already changed but not yet pushed (we do so on a ~monthly
Also, every now and then we handle requests that need not to be made
public until they have been implemented. Of course, we try to
implement/push them as soon as possible, but it's better to keep them
separate in a "not yet live" place.