Re: Q: Where is keyring packaging guideline?

[Adrian Bunk <bunk@debian.org>]

On Thu, Aug 23, 2018 at 05:59:45AM -0700, Sean Whitton wrote:
> Hello,
> 
> On Tue 21 Aug 2018 at 10:25AM GMT, Peter Palfrader wrote:
> 
> > I'm not convinced that 3rd party keyring packages belong in the Debian
> > archive.
> >
> > If the software itself is good and free, then it belongs into Debian
> > itself.
> >
> > However, we shouldn't start shipping random key material for various
> > other places that just happen to offer their software in a format that
> > is consumable by apt.
> 
> Providing the keyrings just as data, and not automatically adding them
> as trusted by apt, might be useful for bootstrapping trust paths,
> however.

How will Debian provide and maintain such trust paths in stable?

If we ship it in a stable release, it is Debian that provides some 
initial level of trust.

So far Debian has completely failed on properly vetting and 
DSA-maintaining 3rd party keys in Debian releases.

> Sean Whitton

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed