Re: Facilitating external repositories
On Sun, Jun 07, 2015 at 11:55:23PM +0200, Wouter Verhelst wrote:
> On Sun, Jun 07, 2015 at 11:30:01AM -0700, Josh Triplett wrote:
> > On Sun, Jun 07, 2015 at 11:08:36AM +0200, Wouter Verhelst wrote:
> > > On Fri, Jun 05, 2015 at 09:10:56AM -0700, Josh Triplett wrote:
> > > > If that's not an option for some reason, then given that the packages
> > > > are Free Software and of reasonably broad interest, you could at least
> > > > upload a package to Debian containing the archive key, similar to
> > > > pkg-mozilla-archive-keyring; that would establish a trust path. (Which
> > > > doesn't solve the usability problem, but it does solve the trust
> > > > problem.)
> > >
> > > True, but I don't think it is the best way forward.
> > >
> > > First, it would work for me, as long as I'm still contracting for the
> > > government[1]. However, due to it being a *government* contract, this is
> > > an inherently time-limited situation[2]. I want this situation to remain
> > > manageable after the end of my contract.
> > >
> > > Second, while I wrote this in response to an immediate issue that I'm
> > > dealing with, it should obvious that this isn't a problem specific to my
> > > situation; I would prefer to have a situation which works for everyone,
> > > not just for me. Having to maintain a package inside Debian isn't the
> > > best solution for third-party developers.
> >
> > If you don't mind the solution being specific to Debian developers,
> > though not to you in particular, then the future plans for Debian PPAs
> > or similar should help here. In particular, those should inherently
> > have a trust chain from the archive.
>
> Sure. They don't exist yet, however.
True, but then, neither does any other possible solution to your
problem. Among the solutions that don't exist yet, PPAs seem
preferable.
> > And anything *not* specific to Debian developers shouldn't be automatic;
> > if there's a means of signing something such that it is "trusted", that
> > mechanism *must* be limited to DDs.
>
> Actually, we *already* have cases where stuff can be installed on a
> Debian system without apt saying anything about it (and without
> requiring manual steps) that involves someone preparing an upload who is
> not a DD. It's called a DM.
True, but DMs can only upload specific packages, not entire repositories
full of packages.
> Do we trust DMs to the same level that we trust DDs? No. Is that fine?
> Sure. In the same vein, should we trust third-party repositories to the
> same level that we trust DDs, or even DMs? Probably not. But then that's
> not what I'm suggesting.
>
> Having said that, I do agree with you that we should not allow just
> about anyone to create a repository which will be automatically trusted
> by the whole Debian system. Establishing such a trust chain should,
> indeed, require some vetting by at least one Debian Developer, so that
> malicious packages can be rejected, if needs be.
If there is an external entity we trust enough to upload arbitrary
package to a repository from which packages will be installed on a
Debian system without prompting, that entity should be a DD, since
that's at least as much trust as we give to DDs. I don't think it's
acceptable to give an *ongoing* blank check to anyone to upload
arbitrary packages to such a repository without that someone being a DD.
- Josh Triplett
Reply to: