Bug#992194: Need to reflect Debian project preferences on repo keys
Package: release-notes
Severity: normal
The project really needs to make its mind up which way it is going in terms of managing repo keys.
The bullseye release notes, e.g. 5.3.2. Deprecated components for bullseye make reference to "Keys should be managed by dropping files into /etc/apt/trusted.gpg.d"
But this seems to contravene current Debian policy as stated elsewhere, namely:
"The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint."
Source:
1. https://wiki.debian.org/DebianRepository/UseThirdParty
2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861695
3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877012
Please don't confuse people by encouraging different methods in different docs !
Reply to: