Re: Facilitating external repositories

[Josh Triplett <josh@joshtriplett.org>]

On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
> On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
> > If that's not an option for some reason, then given that the packages
> > are Free Software and of reasonably broad interest, you could at least
> > upload a package to Debian containing the archive key, similar to
> > pkg-mozilla-archive-keyring; that would establish a trust path.  (Which
> > doesn't solve the usability problem, but it does solve the trust
> > problem.)
> 
> True, but I don't think it is the best way forward.
> 
> First, it would work for me, as long as I'm still contracting for the
> government[1]. However, due to it being a *government* contract, this is
> an inherently time-limited situation[2]. I want this situation to remain
> manageable after the end of my contract.
> 
> Second, while I wrote this in response to an immediate issue that I'm
> dealing with, it should obvious that this isn't a problem specific to my
> situation; I would prefer to have a situation which works for everyone,
> not just for me. Having to maintain a package inside Debian isn't the
> best solution for third-party developers.

If you don't mind the solution being specific to Debian developers,
though not to you in particular, then the future plans for Debian PPAs
or similar should help here.  In particular, those should inherently
have a trust chain from the archive.

And anything *not* specific to Debian developers shouldn't be automatic;
if there's a means of signing something such that it is "trusted", that
mechanism *must* be limited to DDs.

- Josh Triplett