Bug#980743: release-notes: bullseye is the final release to ship apt-key
On 2021-01-21 16:41:36, Julian Andres Klode wrote:
> On Thu, Jan 21, 2021 at 10:22:59AM -0500, Antoine Beaupré wrote:
>> Could we make that /usr/share/keyrings and talk about `signed-by` in
>> sources.list entries? I've been trying really hard to convince people to
>> stop granting random repos the capacity of impersonating official Debian
>> repos for years now, through those instructions:
>> It would be great to make that more official here...
>> Thanks for the deprecation, in any case, I think it's a great move forward!
> We don't yet have sensible ways to do this, really. Dropping files into
> /usr is bad practice, and we don't provide a directory to store keys in
> /etc. Well maybe they should be in /usr/local/share/keyrings? I don't
> know, it's hard to say.
I'm happy to change the recommendation to another directory. The point
of using /usr/share/keyrings is that it's already used by other keyring
packages to ship their keyrings. A few -keyring packages in the archive
actually already do this, so I was merely documenting the current best
Changing those might be possible, but I am not sure introducing that
extra friction would be worth it at this point.
But it seems important to use a location out of the default scope.
> My goal would be to migrate to deb822 sources files with keys embedded
> in them eventually, that would solve all issues; but it's blocked by
> python-apt's aptsources package and all its consumers which all need to
> be changed to be able to understand deb822.
That would be great, but in the meantime... :)
One of the strongest motives that leads men to art and science is
escape from everyday life with its painful crudity and hopeless
dreariness. Such men make this cosmos and its construction the pivot
of their emotional life, in order to find the peace and security which
they cannot find in the narrow whirlpool of personal experience.
- Albert Einstein