Re: Facilitating external repositories

To: Wouter Verhelst <wouter@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Facilitating external repositories
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 7 Jun 2015 17:41:08 +0200
Message-id: <[🔎] 20150607154108.GA29278@roeckx.be>
In-reply-to: <[🔎] 20150604161816.GD10941@grep.be>
References: <[🔎] 20150604161816.GD10941@grep.be>

On Thu, Jun 04, 2015 at 06:18:16PM +0200, Wouter Verhelst wrote:
> - There is no trust path from your already-installed distribution to the
>   "archive" package (yes, I did sign the gpg keys; no, I don't consider
>   that enough).

There are 2 popular methods for this:
- Have an "app store".  We would allow those 3rd parties to upload
  and we sign it.  You would probably be looking for a part of the
  archive that doesn't have the same schedule as the releases.
- Have a method for 3rd parties to get their key to be trusted to
  installed software.  This could potentionally be done by either
  shipping all such trusted keys or have them signed by a special
  purpose key.


Kurt

Reply to:

References:
- Facilitating external repositories
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Re: Issue with PTS watch file service
Next by Date: Bug#787994: ITP: gmt-gshhg -- Global Self-consistent Hierarchical High-resolution Geography (GSHHG)
Previous by thread: Re: Facilitating external repositories
Next by thread: Re: Facilitating external repositories
Index(es):
- Date
- Thread