Bug#992194: Need to reflect Debian project preferences on repo keys

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Bug#992194: Need to reflect Debian project preferences on repo keys
From: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Date: Sun, 15 Aug 2021 16:14:08 +0000
Message-id: <[🔎] 1xBVUcDcxn2vwlvWXbJynB5dDcwRGmjLw_Dr-KV6KMkk1ZaTtDgP_Sj1bKZCSyDX0Y-NGhI8yk2F6CvpdOnO1BBlxocA5h8Y4MUVREgK0hs=@protonmail.ch>
Reply-to: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>, 992194@bugs.debian.org

Package: release-notes
Severity: normal

The project really needs to make its mind up which way it is going in terms of managing repo keys.

The bullseye release notes, e.g. 5.3.2. Deprecated components for bullseye make reference to "Keys should be managed by dropping files into /etc/apt/trusted.gpg.d"

But this seems to contravene current Debian policy as stated elsewhere, namely:

"The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint."

Source:
1. https://wiki.debian.org/DebianRepository/UseThirdParty
2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861695
3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877012

Please don't confuse people by encouraging different methods in different docs !

Reply to:

Follow-Ups:
- Bug#992194: marked as done (Need to reflect Debian project preferences on repo keys)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: http:// or https://. Does it matter?
Next by Date: Bug#992195: Remove reference to undocumented APT feature
Previous by thread: Re: http:// or https://. Does it matter?
Next by thread: Bug#992194: marked as done (Need to reflect Debian project preferences on repo keys)
Index(es):
- Date
- Thread