[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Facilitating external repositories

On Thu, Jun 04, 2015 at 06:18:16PM +0200, Wouter Verhelst wrote:
> - There is no trust path from your already-installed distribution to the
>   "archive" package (yes, I did sign the gpg keys; no, I don't consider
>   that enough).

There are 2 popular methods for this:
- Have an "app store".  We would allow those 3rd parties to upload
  and we sign it.  You would probably be looking for a part of the
  archive that doesn't have the same schedule as the releases.
- Have a method for 3rd parties to get their key to be trusted to
  installed software.  This could potentionally be done by either
  shipping all such trusted keys or have them signed by a special
  purpose key.


Reply to: