On 7/1/21 8:27 AM, Julian Andres Klode wrote:
I don't want to advertise signed-by=. We should aim to get deb822 format supported in python-apt next cycle, and then advertise a consistent use of deb822 .sources files. Including, but not limited to, having d-i create sources.list.d/<vendor>.sources instead of sources.list. It just looks bad in the legacy file format. I'm still concerned having signed-by leads people to adding sources they trust less, only to then be rootkitted by evil maintainer scripts of packages in that repo.
If [signed-by=] isn't the way to go, then what is? I recently updated the keyring package in our company's APT repository to automatically migrate people to [signed-by=] since apt-key (and with it /etc/apt/trusted.gpg.d) is deprecated. This page suggested using [signed-by=] instead:
https://www.linuxuprising.com/2021/01/apt-key-is-deprecated-how-to-add.htmlIn addition, this Debian Wiki page (linked from the article above) suggests using [signed-by=] and not /etc/apt/trusted.gpg.d:
https://wiki.debian.org/DebianRepository/UseThirdParty Kyle