Re: Facilitating external repositories
On Thu, Jun 04, 2015 at 06:18:16PM +0200, Wouter Verhelst wrote:
> - There is no trust path from your already-installed distribution to the
> "archive" package (yes, I did sign the gpg keys; no, I don't consider
> that enough).
There are 2 popular methods for this:
- Have an "app store". We would allow those 3rd parties to upload
and we sign it. You would probably be looking for a part of the
archive that doesn't have the same schedule as the releases.
- Have a method for 3rd parties to get their key to be trusted to
installed software. This could potentionally be done by either
shipping all such trusted keys or have them signed by a special