Your message dated Sat, 21 Aug 2021 22:49:30 +0200 with message-id <f33e6a56-3b94-459f-b351-72c499f69a67@debian.org> and subject line Re: Bug#992194: Need to reflect Debian project preferences on repo keys has caused the Debian Bug report #992194, regarding Need to reflect Debian project preferences on repo keys to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 992194: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992194 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: "submit@bugs.debian.org" <submit@bugs.debian.org>
- Subject: Need to reflect Debian project preferences on repo keys
- From: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
- Date: Sun, 15 Aug 2021 16:14:08 +0000
- Message-id: <[🔎] 1xBVUcDcxn2vwlvWXbJynB5dDcwRGmjLw_Dr-KV6KMkk1ZaTtDgP_Sj1bKZCSyDX0Y-NGhI8yk2F6CvpdOnO1BBlxocA5h8Y4MUVREgK0hs=@protonmail.ch>
- Reply-to: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Package: release-notes Severity: normal The project really needs to make its mind up which way it is going in terms of managing repo keys. The bullseye release notes, e.g. 5.3.2. Deprecated components for bullseye make reference to "Keys should be managed by dropping files into /etc/apt/trusted.gpg.d" But this seems to contravene current Debian policy as stated elsewhere, namely: "The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint." Source: 1. https://wiki.debian.org/DebianRepository/UseThirdParty 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861695 3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877012 Please don't confuse people by encouraging different methods in different docs !
--- End Message ---
--- Begin Message ---
- To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>, 992194-done@bugs.debian.org
- Subject: Re: Bug#992194: Need to reflect Debian project preferences on repo keys
- From: Paul Gevers <elbrus@debian.org>
- Date: Sat, 21 Aug 2021 22:49:30 +0200
- Message-id: <f33e6a56-3b94-459f-b351-72c499f69a67@debian.org>
- In-reply-to: <[🔎] 1xBVUcDcxn2vwlvWXbJynB5dDcwRGmjLw_Dr-KV6KMkk1ZaTtDgP_Sj1bKZCSyDX0Y-NGhI8yk2F6CvpdOnO1BBlxocA5h8Y4MUVREgK0hs=@protonmail.ch>
- References: <[🔎] 1xBVUcDcxn2vwlvWXbJynB5dDcwRGmjLw_Dr-KV6KMkk1ZaTtDgP_Sj1bKZCSyDX0Y-NGhI8yk2F6CvpdOnO1BBlxocA5h8Y4MUVREgK0hs=@protonmail.ch>
Hi Laura, On 15-08-2021 18:14, Laura Smith wrote: > The project really needs to make its mind up which way it is going in terms of managing repo keys. > > The bullseye release notes, e.g. 5.3.2. Deprecated components for bullseye make reference to "Keys should be managed by dropping files into /etc/apt/trusted.gpg.d" The discussion was had in bug 980743. A better solution was not found. > But this seems to contravene current Debian policy as stated elsewhere, namely: > > "The key MUST be downloaded over a secure mechanism like HTTPS to a location only writable by root, which SHOULD be /usr/share/keyrings. The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add. A sources.list entry SHOULD have the signed-by option set. The signed-by entry MUST point to a file, and not a fingerprint." > > Source: > 1. https://wiki.debian.org/DebianRepository/UseThirdParty > 2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861695 > 3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877012 > > Please don't confuse people by encouraging different methods in different docs ! Sometimes documents get outdated. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---