Re: Facilitating external repositories

[Wouter Verhelst <w@uter.be>]

On Sun, Jun 07, 2015 at 11:30:01AM -0700, Josh Triplett wrote:
> On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
> > On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
> > > If that's not an option for some reason, then given that the packages
> > > are Free Software and of reasonably broad interest, you could at least
> > > upload a package to Debian containing the archive key, similar to
> > > pkg-mozilla-archive-keyring; that would establish a trust path.  (Which
> > > doesn't solve the usability problem, but it does solve the trust
> > > problem.)
> > 
> > True, but I don't think it is the best way forward.
> > 
> > First, it would work for me, as long as I'm still contracting for the
> > government[1]. However, due to it being a *government* contract, this is
> > an inherently time-limited situation[2]. I want this situation to remain
> > manageable after the end of my contract.
> > 
> > Second, while I wrote this in response to an immediate issue that I'm
> > dealing with, it should obvious that this isn't a problem specific to my
> > situation; I would prefer to have a situation which works for everyone,
> > not just for me. Having to maintain a package inside Debian isn't the
> > best solution for third-party developers.
> 
> If you don't mind the solution being specific to Debian developers,
> though not to you in particular, then the future plans for Debian PPAs
> or similar should help here.  In particular, those should inherently
> have a trust chain from the archive.

Sure. They don't exist yet, however.

> And anything *not* specific to Debian developers shouldn't be automatic;
> if there's a means of signing something such that it is "trusted", that
> mechanism *must* be limited to DDs.

Actually, we *already* have cases where stuff can be installed on a
Debian system without apt saying anything about it (and without
requiring manual steps) that involves someone preparing an upload who is
not a DD. It's called a DM.

Do we trust DMs to the same level that we trust DDs? No. Is that fine?
Sure. In the same vein, should we trust third-party repositories to the
same level that we trust DDs, or even DMs? Probably not. But then that's
not what I'm suggesting.

Having said that, I do agree with you that we should not allow just
about anyone to create a repository which will be automatically trusted
by the whole Debian system. Establishing such a trust chain should,
indeed, require some vetting by at least one Debian Developer, so that
malicious packages can be rejected, if needs be.

Perhaps this should even be done on a repeating basis; i.e., it could be
done so that getting a signature on an archive configuration can only be
allowed if it is time-limited (so that after a certain amount of time,
the vetting and signing needs to be re-done).

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26