Re: Facilitating external repositories

To: Timo Weingärtner <tiwe@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Facilitating external repositories
From: Wouter Verhelst <wouter@debian.org>
Date: Thu, 14 Nov 2019 19:26:10 +0200
Message-id: <[🔎] 20191114172610.GA3045@grep.be>
In-reply-to: <[🔎] 20191109172044.GD18553@grep.be>
References: <[🔎] 20191103173534.GB4259@grep.be> <[🔎] 7154107.ZLNxeNa7KG@timo01.tiwe.de> <[🔎] 20191109172044.GD18553@grep.be>

Hi,

On Sat, Nov 09, 2019 at 07:20:44PM +0200, Wouter Verhelst wrote:
> Hi Timo,
> 
> On Sun, Nov 03, 2019 at 07:33:10PM +0100, Timo Weingärtner wrote:
> > Hallo Wouter Verhelst,
> > 
> > 03.11.19 18:35 Wouter Verhelst:
> > > The software from the package downloads the metadata index and validates
> > > the GPG signature; and if everything checks out, adds configuration to
> > > /etc/apt/sources.list.d and /etc/apt/trusted.gpg.d to enable the
> > > repository.
> > 
> > Please don't use /etc/apt/trusted* for 3rd-party repositories. If a key is in 
> > there its owner can impersonate the official debian repos for default setups.¹ 
> > Please use some other path (such as /var/lib/extrepo/keyrings/) for the 
> > keyrings and connect it with "Signed-By:" [1].
> > 
> > I just changed my /etc/apt/sources.list.d/debian.sources to have:
> > Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
> 
> Thanks. I agree that makes sense; I've updated the code as such.

So, that has happened, and I have now also uploaded extrepo[1].

In order for this to acually be useful, I would need a bunch of
repositories to be available through the "extrepo" command.

In order for that to happen, I think the best thing to do (eventually)
would be to have the maintainers of said external repositories to
request for them to be added[2]. We'd then need a vetting procedure and a
set of rules for things to be accepted.

I've created a start for that at
<https://salsa.debian.org/extrepo-team/extrepo-data>. Any comments?

(as a side note, that repository also contains the metadata of the
repositories which extrepo knows...)

Thanks,

[1] https://ftp-master.debian.org/new/extrepo_0.2.html
[2] For the time being though, I've started creating a set of
    repositories. I'll probably add more in the next few days or weeks,
    as I encounter repositories that might be interesting to add.
    Long-term that is probably not the best idea, but short-term I want
    to have some critical mass of packages first...

-- 
To the thief who stole my anti-depressants: I hope you're happy

  -- seen somewhere on the Internet on a photo of a billboard

Reply to:

References:
- Re: Facilitating external repositories
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Facilitating external repositories
  - From: Timo Weingärtner <tiwe@debian.org>
- Re: Facilitating external repositories
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Re: Usage of DEP5
Next by Date: Bug#944745: ITP: libreadonlyx-perl -- faster facility for creating read-only scalars, arrays, hashes
Previous by thread: Re: Facilitating external repositories
Next by thread: RFA: several packages around Kodi
Index(es):
- Date
- Thread