[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unsigned repositories

Hallo,
* Sam Hartman [Sun, Jul 14 2019, 08:46:18AM]:
> >>>>> "Julian" == Julian Andres Klode <jak@debian.org> writes:
>
> Please carefully consider uses of apt besides the system level apt
> running as root installing packages on the system.
>
> What about when I use the apt libraries to explore some repository and
> parse its packages files etc.
> Asking people to go set up the keys for some of these use cases seems
> like a lot of work.

IMHO this could and should be mitigated. I.e. give people a tool they
can work with without studying rocket science, following the spirit of
letsencrypt etc., which handles the snakeoil key handling in a lazy way.

<brainstorming>Something like:

apt-ftparchive ... --auto-sig
(create a new PGP key OR load and use the PGP key with identity of the current
InRelease file; auto-generated key is stored in user's private keyring
and can be extracted with ...)

</>

Best regards,
Eduard.

--
Angela Merkel zitiere ich ja am liebsten wörtlich. Ich hab noch keine
bessere Möglichkeit gefunden, diese Frau zu beleidigen.
                                                    -- Volker Pispers
Reply to: