[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unsigned repositories

>>>>> "Eduard" == Eduard Bloch <edi@gmx.de> writes:

    Eduard> Hallo, * Sam Hartman [Sun, Jul 14 2019, 08:46:18AM]:
    >> >>>>> "Julian" == Julian Andres Klode <jak@debian.org> writes:
    >> 
    >> Please carefully consider uses of apt besides the system level
    >> apt running as root installing packages on the system.
    >> 
    >> What about when I use the apt libraries to explore some
    >> repository and parse its packages files etc.  Asking people to go
    >> set up the keys for some of these use cases seems like a lot of
    >> work.

    Eduard> IMHO this could and should be mitigated. I.e. give people a
    Eduard> tool they can work with without studying rocket science,
    Eduard> following the spirit of letsencrypt etc., which handles the
    Eduard> snakeoil key handling in a lazy way.

Most of the repository generation tools these days do a fairly good job
of signing the release file.
What I'm more worried about is configuring the client apt library in
cases where you are using it for things other than the main apt instance
on the system.
Reply to: