Re: Q: Where is keyring packaging guideline?

[Paul Wise <pabs@debian.org>]

On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:

> I want to make 3rd party keyring package (ITP). In the advance, I
> want to know a best practice about *keyring* packaging. Any hints?

There are some best practices for using 3rd party apt repos here:

https://wiki.debian.org/DebianRepository/UseThirdParty

>   sudo apt install -y -V --allow-unauthenticated foobar-keyring
>   This is reasonable because there is no correct key yet before
>   installing it.

I don't think this is appropriate at all. Instead, always use an
out-of-band mechanism for confirming the appropriate OpenPGP keys.
Having the keyring package in Debian itself is a good idea, but at
very bare minimum, download the key or fingerprint from a website that
uses a valid TLS certificate according to the X.509 CA trust model.

> So, I plan to make one more 3rd party keryring into Debian.

That seems like a reasonable way to provide a secure mechanism to install it.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise