Re: Facilitating external repositories

To: debian-devel@lists.debian.org
Subject: Re: Facilitating external repositories
From: Russ Allbery <rra@debian.org>
Date: Sun, 03 Nov 2019 11:04:01 -0800
Message-id: <[🔎] 878sowpyse.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 7154107.ZLNxeNa7KG@timo01.tiwe.de> ("Timo Weingärtner"'s message of "Sun, 03 Nov 2019 19:33:10 +0100")
References: <[🔎] 20191103173534.GB4259@grep.be> <[🔎] 7154107.ZLNxeNa7KG@timo01.tiwe.de>

Timo Weingärtner <tiwe@debian.org> writes:

> Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key
> is in there its owner can impersonate the official debian repos for
> default setups.¹ Please use some other path (such as
> /var/lib/extrepo/keyrings/) for the keyrings and connect it with
> "Signed-By:" [1].

> I just changed my /etc/apt/sources.list.d/debian.sources to have:
> Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

I have a personal repository and a corresponding eyrie-archive-keyring
package to install the trusted keys.  Is there a best practice document
somewhere for how I should set this up?  I'm currently installing keyrings
in /etc/apt/trusted.gpg.d because I thought that was how *-archive-keyring
packages were supposed to work, but this area seems a bit underdocumented
(or at least I've not found the right documentation).

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Facilitating external repositories
  - From: Guillem Jover <guillem@debian.org>

References:
- Re: Facilitating external repositories
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Facilitating external repositories
  - From: Timo Weingärtner <tiwe@debian.org>

Prev by Date: Re: Facilitating external repositories
Next by Date: Re: Integration with systemd
Previous by thread: Re: Facilitating external repositories
Next by thread: Re: Facilitating external repositories
Index(es):
- Date
- Thread