[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Facilitating external repositories

Hey, Wouter.

On 06/04/2015 12:18 PM, Wouter Verhelst wrote:
> Hi,
> At $DAYJOB, I'm maintaining a few repositories with ready-to-install
> packages for a number of distributions[1]
> Currently, the instructions[2] say to do the following:
> - Download and install an "eid-archive" package, which contains the GPG
>   keys and generates a sources.list.d file for the repository;
> - Run "apt-get update";
> - Install the "eid-mw" and/or "eid-viewer" packages.
> This works, but it has a number of downsides:
> - The second step, "run apt-get update", is often overlooked; this seems
>   to be the case especially for users of Ubuntu, where the default
>   handler for installing packages is the "Software Center", a GUI
>   software management tool that doesn't have any UI element for doing
>   (the equivalent of) apt-get update

Huh... this is unfortunate.  I can imagine a package that installs some
kind of one-time cronjob that will execute 'apt-get update' a minute
later, but I don't like the idea... I hope there's something better

> - There is no trust path from your already-installed distribution to the
>   "archive" package (yes, I did sign the gpg keys; no, I don't consider
>   that enough).

Yeah unfortunately this is sort of a catch-22 problem... IMHO we want an
external archive key to be easily replaceable in case it's ever
compromised, yet we also want that same key to be "easily trust-able",
which takes time and several signatures of known keys to do... i.e. an

I recall the prior DPL wanting to support PPAs in Debian, and I would
imagine that this issue is one of the "sticking points" to that idea.

BTW does the 'debian-keyring' package exist on Ubuntu and Mint?  If so I
could imagine that your eid-archive package could have a pre-depends on
debian-keyring and check that GPG keys installed by eid-archive are
signed by a DD or DM.  As the debian-keyring package would come from the
main archive, that would at least have a trust path to the signing key
of the main distribution repository.

That's what I can think of at the moment anyway.

   -- Chris

Chris Knadle

Reply to: