[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Stateless OpenPGP command-line interface for package management


Quoting David Kalnischkies (2020-02-06 16:43:22)
> On Thu, Feb 06, 2020 at 03:28:28PM +0100, Johannes Schauer wrote:
> >    "I have a keyring I know that I want to use (like
> >    /usr/share/keyrings/ubuntu-archive-keyring.gpg) -- is the key material from
> >    that keyring fully included in the keys trusted by apt?"
> That is a question though you should ideally ask apt instead of trying
> to peak inside its trusted keyrings and figure it out by yourself.
> Who knows what might change in the keyring setup in the future. [0]
> So if you can outline an interface I guess we can add it to apt-key to
> decouple mmdebstrap from this

I thought using apt-key was discouraged?

The interface I need is very simple. I want to be able to give apt a keyring or
a fingerprint and ask it: do you trust that one or not?

I don't know whether I talked about that to you or julian via IRC but the
conclusion was, that implementing it via calls to gpg and relying on
/etc/apt/trusted.gpg(.d) was the right thing to do.

> (I didn't mention your bootstrap specifically as I thought you were one of
> the lucky ones by delegate all these problems to apt).

Far from it. Today you already discovered how bloated mmdebstrap is. One reason
is, that lots of stuff that could be in dpkg/apt actually is not. Dpkg recently
made progress on changing this. My long term goal is to make mmdebstrap useless
because apt offers something like "apt-get bootstrap" or the like.


cheers, josch

Attachment: signature.asc
Description: signature

Reply to: