On 2021-07-01 09:35:16 -0400 (-0400), Kyle Edwards wrote: > On 7/1/21 9:27 AM, Jeremy Stanley wrote: > > It's not clear (to me at least) that placing keys into > > /etc/apt/trusted.gpg.d is deprecated > > According to > https://wiki.debian.org/DebianRepository/UseThirdParty it is: > > > The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded > > by apt-key add. [...] Yes, that's a community-maintained wiki article with a few editors (at least most of whom are also DDs in this case), started in 2017-03-22 to describe a specific model which discourages it, but nowhere does that claim use of /etc/apt/trusted.gpg.d is officially deprecated and when, much less link to official documentation stating so. The article also does essentially nothing to explain the risks that model wants to counter. Reading between the lines, it may protect you from accidentally using a package repository (whose maintainers you implicitly trust) in unintended ways. If the people in control of those keys wanted to take control of your machine, they still could, so it's not protecting you from any intentionally malicious threats. It might be good to get input on this from anarcat and dkg, as the primary authors of that document, on the underlying intention, and maybe add some further explanation to it indicating the real-world threats this recommendation mitigates. Security policy should be informed by risk analysis, and complicating things with additional security controls which bring no appreciable improvement to the actual security of the system but just "because you can" is ultimately detrimental. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature