[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992194: marked as done (Need to reflect Debian project preferences on repo keys)

Your message dated Sat, 21 Aug 2021 22:49:30 +0200
with message-id <f33e6a56-3b94-459f-b351-72c499f69a67@debian.org>
and subject line Re: Bug#992194: Need to reflect Debian project preferences on repo keys
has caused the Debian Bug report #992194,
regarding Need to reflect Debian project preferences on repo keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992194: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992194
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release-notes
Severity: normal

The project really needs to make its mind up which way it is going in terms of managing repo keys.

The bullseye release notes, e.g. 5.3.2. Deprecated components for bullseye make reference to "Keys should be managed by dropping files into /etc/apt/trusted.gpg.d"

But this seems to contravene current Debian policy as stated elsewhere, namely:

"The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint."

Source:
1. https://wiki.debian.org/DebianRepository/UseThirdParty
2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861695
3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877012

Please don't confuse people by encouraging different methods in different docs !

--- End Message ---
--- Begin Message --- 
Hi Laura,

On 15-08-2021 18:14, Laura Smith wrote:
> The project really needs to make its mind up which way it is going in terms of managing repo keys.
> 
> The bullseye release notes, e.g. 5.3.2. Deprecated components for bullseye make reference to "Keys should be managed by dropping files into /etc/apt/trusted.gpg.d"

The discussion was had in bug 980743. A better solution was not found.

> But this seems to contravene current Debian policy as stated elsewhere, namely:
> 
> "The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint."
> 
> Source:
> 1. https://wiki.debian.org/DebianRepository/UseThirdParty
> 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861695
> 3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877012
> 
> Please don't confuse people by encouraging different methods in different docs !

Sometimes documents get outdated.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: