Re: gpg keyrings.
Julian Gilbey <J.D.Gilbey@qmw.ac.uk> writes:
> (1) It could be documented on http://keyring.debian.org/
I'm sure it could...[0]
> (2) I wouldn't have thought of using anonymous rsync either
Err, and? Look, it's very simple:
a) anonymous good, automated access to an allegedly secure account bad.
b) debian's keyrings rsync _very very well_[1].
> (3) I don't yet have much idea how debsig-verify works, but if it
> uses [...]
I really couldn't care much less about debsig-verify right now
(especially after the recent dpkg SNAFU), but if it requires an
uptodate keyring package then it is IMNSHO broken.
The canonical source for the debian keyring _is_[2] kerying.debian.org
(via anon-rsync); period. The package is a convenience, nothing
more[3].
--
James
[0] Stuff tends to get put there in the same way that the key server
got there; i.e. someone useful actually did the work rather than
complaining the work wasn't being done.
[1] Small isolated changes to large (relatively) files.
[2] The only possible other contender for this claim is
/debian/doc/debian-keyring.tar.gz (on f.d.o or mirrors) which is
the historical canonical location (and predates the packaging by
several years at least).
[3] Matthew guessed pretty accurately as to why it's irregularly
updated.
Reply to: